AV Updates - Where Do You Fit In?

Since my last post about AV, I've had some more discussions with industry peers, vendors, friends, and family. I've re-read my post today and want to clarify a few points.

First of all, AV is critical. If you read any sort of undertone in the AV thread indicating AV was not essential or effective, I'd like to correct that. It's a must for everyone. If you look at modern threats and those that are highly pervasive, AV is extremely successful at prevention - keeping you from being compromised or infected. Highly pervasive malware detection leveraging signatures is where AV vendors tend to average about the same in terms of effectiveness. Where they begin to separate out is when you move from the highly pervasive/common malware into the variants, targeted malware, and deeper levels of sophistication. So there is direct correlation between who you are, what you do, and what you need. If you are only exposed to highly pervasive threats, then standard/free AV is good for you. If you are a potential target (small business owner, public facing for your employer, executive etc.), you need to move beyond free protection.

During a brief at the McAfee security conference in Las Vegas this week, I saw a report from NSS labs that listed Kaspersky, McAfee, and Trend as 100% effective against HTTP based detection of pervasive threats. AVG was about 50% effective. But if you think in terms of the pervasive threats and what the average home user will be exposed to, I maintain that free solutions like AVG and Microsoft Security Essentials will remain largely effective - better than the 50% indicates. The reason I maintain that position is the threats you will likely be exposed to will fall within that 50% coverage. I'm also extremely nervous about anything that says 100%...because that's just not possible in my world. There is some arbitrary cut-off level which defines this list which I believe is subject to debate. So in terms of the home user experience...I give free AV better than 50%, and commercial AV less than 100%. The cautions home user who thinks before they click will be well protected with free AV products.

Among the pervasive threat category, McAfee contends (and I agree) that to get closer to that 100% you need a combination of signature based detection (AV) and Threat Intelligence (identification of malicious hosts/websites or website reputation scoring). This combination will provide a comprehensive and extremely high fidelity protection set. To get the most of this...you'll need a paid for product like Kaspersky or McAfee. Typically these come advertised as AntiVirus, AntiSpam, AntiSpyware.

The next tier of threats require some additional capabilities for detection, specifically around behavioral analysis, which sort of takes free AV off the table. To combat this category of threat, you'll need a commercial or "full suite" host-based solution. These are going to be your expensive AV products or from the AVG world, you'll need to pay up for the additional features. However, this category of threat is not as pervasive and the average home user is much less likely to be exposed to these sorts of threats, unless you are browsing around bad areas of the Internet. If you do a lot of social media where you're clicking on lots of links from Facebook friends, or mass forwarded emails etc., then look to a more feature rich solution. If you do online gaming, or watch lots of flash video...same applies. This tier combines AntiVirus, AntiSpam, AntiSpyware, AntiMalware, and Website Reputation or Categorization.

The final tier is customized and targeted malware which has a broad variation in terms of attributes, behaviors, and evasion capabilities. This final tier is where you need commercial solutions...but beyond AV. However a full featured host-based security suite will go a long way. So who needs this at home? If you are running a business from your laptop and have any sort of sensitive information on it...then go this path. This final tier includes the capabilities of the previous lists, but adds thinks like AntiRoot kit.

So here's a breakdown which may be overly simplified:

• Free AV (AVG, Microsoft): best for home users who are cautious about their Internet use, check email carefully, browse a small number of "known" websites, and don't do a lot of social media interaction or limit it to only people you trust. Online banking is ok here...if you are also very cautions. Capabilities include:
• AntiVirus
• AntiSpyware
• Full AV (McAfee, Kaspersky, Trend): best for home users who venture out of the box a little, perform extensive Internet searches/browsing, view lots of online videos, connect to lots of people via social media and email, and tend to be click happy (you like to click around the Internet), play games online etc. Capabilities include
• AntiVirus
• AntiSpyware
• AntiMalware
• AntiSpam
• Website Reputation
• Commercial AV: if you do any home based business on your system, go the commercial route. Most vendors have Small Business solutions that incorporate some additional features. Leverage them...remember you are storing other people's information or information about yourself that can lead to identify theft or stolen information.
• Full AV
• AntiRoot kit
• Application white listing

Web Browsers

Introduction

In my last post (AntiVirus at home), I mentioned one tool (AV) you can use at home to help defend against criminals who want to deliver malware onto your computer. Email and web browsing were the two primary delivery vectors I discussed in that post. The topic for today also addresses malware delivery but this time via your web browser. The question for this post is "which web browser should I use?" I've heard incorrect assumptions from friends and family who heard from someone they respect that "they will be secure if they use...." or "using ... means I'm not secure." Well, let's dive into that.

Definitions

First off, your web browser is the application on your computer you are using to view this blog. They come in many shapes and sizes and many web enabled applications today contain web browser features. Your apps on your smartphone or tablet for example - many of those which display content to you from the Internet are essentially web browsers. Quite simply a web browser is an application that interacts with Internet languages and protocols to display stuff to you. Internet content such as movies, animated graphics, or documents are usually opened via another program on your computer upon request from your browser. That's why you have to install things like Flash Player, Shockwave, and PDF Reader. These aren't browsers, but more on that in a minute.

Flavors

There are too many to mention here, but some of the primary web browsers include Microsoft Internet Explorer (IE), Mozilla FireFox, Google Chrome, Apple Safari, Opera, Camino, and Netscape Navigator. Microsoft IE and Apple Safari are likely the most commonly used among home users since they come pre-installed in Windows and OSX respectively. Within corporations, typically Internet Explorer or Mozilla Firefox are the "approved" browsers with exceptions for "Safari" on Apple computers.

Plugins

Web browsers render website code written in programming languages such as HTML, XML, or PHP to display the contents in attractive formats. However additional applications on your computer that integrate with your browser (called plugins) are used when the website content (usually media) cannot be displayed. This most commonly includes active media content written for Java or Flash or specially formatted documents in PDF. When a browser encounters content in these non-HTML/XML codes, they call the local application that can display the code and the results are usually rendered within your browser. Youtube is a great example of this since the website is HTML, but the videos are in Flash (.swf) format. Many websites include active code like PHP which will inspect attributes of your computer to determine which format active content should be displayed to you. A video may be served in Java or Flash or some other type depending upon your configuration.

Exploitation

A browser can't be used to exploit your computer unless there is a vulnerability in the browser, a vulnerability in one of the "plugins" mentioned above, or in how the browser uses a plugin. Usually it's one of these plugins that is actually used to compromise your computer, not the browser itself. The browser becomes the medium by which the exploit or malicious code is transferred to the vulnerable application on your computer. Take the Blackhole exploit kit as an example. It is one of the most widely used kits around there that leverages weaknesses in active content plugins (Flash or Java) to serve you malware. Your browser hits a page which includes an embedded Java applet. Your browser calls up the Java application on your computer, and loads the Java code. The malicious Java code exploits a flaw in that software to automatically connect to another website to download and launch a malicious file. In many of these cases, it's not your browser's fault - it's the plugin that put you at risk. Probably the most common browser targeted exploits used today include cross-site scripting and iframe vulnerabilities. You can read about those at Wikipedia if you'd like, but essentially the process is the same; embedded code causes your browser to load malicious content.

Vulnerabilities

I summed up the past 2 months of vulnerabilities related to web browsing according to the United States Computer Emergency Readiness Team (US-CERT):

Adobe Flash: 3
Adobe Acrobat Reader: 21
Adobe Shockwave: 5
Apple Safari: 3
Google Chrome: 24
Internet Explorer: 9
Mozilla Firefox: 31
Perl: 1
PHP: 2
Opera: 2

Based on this sample set from the past 2 months, Google Chrome and Mozilla Firefox had the most vulnerabilities followed by Internet Explorer, Safari, and Opera respectively. This might surprise you but statistics of new vulnerabilities in a browser show that FireFox alone averages about 44% of all web browser bugs. It has a horrible record. However, the Adobe, Perl, and PHP applications listed above are plugins which interact with each browser. So, even if your browser had 0 vulnerabilities, it's likely that with this set of application vulnerabilities you would still be at risk.

Which is the Most Secure?

That's a very difficult question to answer and I won't bore you with the background, but I give a toss up between Google Chrome and Internet Explorer. By itself, Chrome has been built with security at the front and Google is very quick to release updates when flaws are discovered. Microsoft is hands down the best at addressing new vulnerabilities and the latest versions of IE along with Windows 7 prove difficult to exploit. FireFox comes next. It is constantly being updated to fix newly discovered bugs, but they do a solid job of releasing updates. Apple Safari is at the bottom of the list for me because Apple is notoriously slow to fix vulnerabilities. It's common that a flaw will be discovered and Apple will take weeks and sometimes months to release an update leaving users exposed to compromise for long periods. Just Google "Apple slow to patch" and you'll see what I mean.

Rumors and Confusion

All of these web browsers are advertised as "the safer and faster way to browse the Internet." Or something like that. It became very trendy a few years ago to drop IE and use FireFox. This trickled out from those in the IT vocation to friends and family and the next thing I knew people were telling me they were secure at home because they don't use IE anymore...they use FireFox. Sorry to say, that's actually wrong.

Choosing a Browser

Before you take the plunge and commit yourself to a browser (by the way, I have 5 of the above installed on my laptop), you need to weigh your planned use, compatibility, risks, and threats.

Planned Use

So, what do you do with your web browser and what is the most important about your browsing experience? Personally I prefer simplicity, ease of use, and speed. Those are my top three. My planned use is...well...surf the web effectively and securely and enjoy the content websites offer. To that end, my go-to is Google Chrome. But, I often find cases where Chrome simply doesn't work right. In those times I switch back to the most stable and consistent browser, Internet Explorer. Some of the websites I use often simply don't render correctly in FireFox or Safari so rather than spend time getting frustrated, I just stick to Chrome and IE.

Risks

So your favorite browser is FireFox and you just browse the Internet to read news and check email. Are you at risk? Yes. However, risk assumes there is a vulnerability in your software, an exploit which can take advantage of that vulnerability, and that exploit is delivered to you. Unfortunately exploit code is spread all over the Internet on various websites including totally legitimate ones. The Russian Business Network (RBN) for example is run by Cyber criminals who network resources and offer Internet services to other criminals. They also use their network for legitimate purposes and serve web banners and ads on common websites. If you hit one of these sites, you could be exposed to exploit code. There's also tons of malicious code hosted through websites that serve illicit content and online games. There are also some Cyber criminals who monitor web trends (the things people search for on Google) and create malicious websites dedicated to those topics to get you to browse to them and expose yourself the malicious code. Needless to say, the risk of exploitation is very high. If there's a new trend or breaking news story, chances are there are websites being created by criminals that will serve you information about the topic, and along with that malicious code for your browser.

Protection

Take a look at the vulnerability and exploit sections of this post and you'll also see why I chose Chrome and IE. But consider this when browsing the Internet. Sorry Apple, but I warn all of you Mac users out there to stay away from Safari. You're better off installing Chrome on your Mac.

As I mentioned in my post about AntiVirus, your best defense is to patch your browser and related plugins regularly and at least check for updates weekly. Microsoft releases updates every Tuesday (if there are any to be released) and Google releases them when they are ready. Apple seems to release them when they eventually get around to it (bad Apple, bad!). Next, read those warnings from your browser and listen to their advise. If the browser says you are loading potentially unsafe content, stop! If you have to bypass a security feature to browse the content, think about that before you click. If your computer asks permission to open a file, make sure you trust the source. Finally, don't mess with your Browser's security settings. One thing all the providers have in common is they will push security features to you in patches. So again, patch!

Be safe!

AntiVirus at Home

An Introduction

As most of you can attest to, when people find out about a skill, talent, gifting, or trade-craft you posses they ask for help with related issues. In my world this translates to cybersecurity. The prevalence of the Internet and access to it has so permeated life, I don't know of anyone who doesn't or hasn't accessed an Internet resource. US life has become so tightly integrated with the Internet or interconnection between IT systems, that it is literally in everything. Social media (Facebook, Twitter, G+ etc.) have taken this to a new level. With that comes a slew of issues which many people don't have the time, energy, interest, or motivation to pursue. Fortunately we can rely on each other right? That's my goal of this blog. My hope is that I can share some insight into what I've learned and what I do on a day-to-day basis to help all of us safely use this thing call the Internet effectively and responsibly.

AnitVirus

Because of my vocation, I get a lot of questions from friends and family about how to stay virus free on the Internet. First of all, it's not possible so let's just set that expectation. I don't care if you use a mac, Windows, or Linux system, if you use the Internet, you will be infected at some point. Just in the way of keeping things modern and accurate, I'm going to also clue you in on a terminology shift. Today it's more commonly practiced that bad things that infect your computer (viruses, worms, trojans, spyware, adware etc.) are referred to as malware, short for malicious software. So moving forward everywhere I say malware, think bad stuff on my computer.

Next a quick explanation on what these bad things called malware are. They range in nature but generally speaking install themselves deceptively or behind the scenes, collect information about you and your system, and transmit that data to an awaiting cyber criminal. That information varies from banking data, to personally identifiable data, to passwords, to everything you type, you name it. There's even malware that will activate your webcam and microphone to spy on you. Yes it's true! Some malware seeks to use you to spread itself to your family and friends so it can steal more information from more people. Some will even transmit communications on your behalf via email, asking your friends to click some link to view cute pictures of your family. The tactic used to deliver malware that comes in the form of an attachment or link in an email, message board, facebook post etc. is called Phishing and is one of the most common delivery methods. Ever receive an email from some foreign royalty asking for your bank account number to transfer millions of dollars to you? Yep, that's Phishing. Every get a strange email from a friend that has a bunch of grammar problems and incomplete sentences and you wonder if they wrote it while under the influence of a foreign substance? That foreign substance is probably a language translator and you've been served Phish. The worst type of malware is commonly called a Trojan Horse. It's goal is to install an application that runs on your computer and allows a remote criminal to connect and interact with your computer. Bad stuff!

Ok, now the bad news. You are being targeted. Yes, you. Don't think I'm not talking about YOU because you are "just a home user who accesses the Internet to check Facebook and email." Another misconception I hear is "I don't do anything like banking on my computer, so it's ok if they compromise me." Really, so you don't mind being used as an intermediary to serve pornography or used to attack national and corporate networks? Social media and email are two of the most targeted Internet communication channels in use today. Criminals abound in Facebook land. The harsh reality is there are teams and organizations of cyber criminals out there trying to get to your computer so they can steal information from you or get you to buy their stuff or use you as an intermediary etc. Their motivations are as broad based as the nets they deploy to capture you. Just browsing to a website can infect your computer if malicious code has been injected into the page by an adversary. There is a dark side to the Internet and criminals abound. If you are interested, there's a terrific book titled "Fatal System Error" by Joseph Menn which includes a running chronology of how criminals moved from physical theft to cyber theft. The mafia is alive and well...they just moved cyber. But it's not just the mafia. Another deep dark secret is the prevalence of cyber criminals who do what they do as a career. Just as there are good organizations focused on providing your Internet access, there are malicious organizations providing infrastructure, tools, and resources to the underground communities. There are too many to count, but thousands upon thousands of websites and home users have been compromised and are unknowingly being used to serve you malicious code. In fact, cyber criminals are better at sharing resources than the defenders are. I heard a recent presentation on identity theft and the costs to purchase information on the Internet that has been stolen to replicate an identity. The price has plummeted because the market is saturated. Yes, free market principles and supply-and-demand are used by the adversary too. They infect you and then sell your information or access to your computer for other criminals to use for their purposes. It's an entire multi-billion dollar industry.

The other bad news is AntiVirus is only marginally effective. Even the best AV out there is only by some estimates 50% effective or less. I've heard some argue that AV is only about 30% effective. In my experience analyzing malware and variants, both commercial and freely available AV solutions are horrible at detection beyond the most common forms of malware.

And there's more bad news. There are lots of fake antivirus products out there that are actually malware. If you browse to a website and get a popup that looks like it's coming from Windows or an unknown application that says you've been infected, don't trust it. If it says you have to download or buy something to fix the problem it found, it's most likely malicious or at least deceptive.

Ok so what do you do? Do you stop using the Internet? Do you even bother with AV? My answers are no and yes respectively. Using the Internet has an inherent risk but tremendous rewards. You will most likely be compromised at some point. Just like your credit card numbers will be stolen and used at some point. Mine have been, twice. That's just the world we live in today. But the same risk applies to many aspects of life. Do you stop driving because of the risk of being in an accident?  I hope not.

First Line of Defense

Patch, patch, patch. Make sure you are checking regularly for security and software updates on your computer. In Windows browse over to your Control Panel and launch the "check for updates" application. Install anything and everything (except those annoying language packs listed under optional updates). For mac users, click the apple and launch software update. Again, install anything and everything recommended. Also check and update Adobe PDF readers for updates, flash player, and Java applications. Keep those browsers up to date as well (Firefox and Chrome included). You can't be exploited if you aren't vulnerable. There are always unknown vulnerabilities, but start with at least covering the known ones. Finally don't click links in emails or social meda/chat forums that seem odd or from people you don't know and never open a file you aren't expecting.

What AV should you use? 

That totally depends upon what is available to you. My ISP (Cox) provides a free copy of McAfee's suite of client-based solutions including AV and a convenient website reputation checker. It's a terrific product and generally speaking I'm a fan of McAfee solutions. However, on some computers I use Microsoft Security Essentials (free from microsoft.com) which is another terrific product. Yes, I said Microsoft, security, and terrific in the same sentence. Despite the buzz Microsoft is actually very good at security these days. Before Microsoft I used AVG Free which is another terrific product. For my mac I use Sophos because they have a free AV client. Yes, you must use AV on a mac. Despite Apple's amazing marketing campaigns, they are very poor at responding to and fixing security vulnerabilities, and yes there's lots of malware out there that will infect your mac. Don't believe the hype that you are any more secure than a Windows PC because you are not. Just ask my poor little sister. In my professional life I have seen and analyzed mac targeted malware.

Personally, I will not pay a penny for AV. There are plenty of free solutions out there that are just as effective as the most expensive ones (sorry vendors). You may not get all the added features, but you'll get a solid foundation for active defense. Don't believe me? Do some searching...there are lots of organizations who perform regular tests on AV products throughout the year and release "effectiveness" reports. There's also a very handy website called "VirusTotal" (virustotal.com) which compares malware samples among multiple AV engines (all the major ones and many minor ones too). Typically if a piece of malware is known, they all detect it. If the malware is new or a slight variant, none of them detect it. Please don't assume that the AV product your company uses is any better than a solution you can get for free. If you receive an attachment or file, before launching it you can upload it to VirusTotal for free and get a scan report from a few dozen AV products. Pretty neat.

Should You Use Multiple AVs?

Generally speaking no. It seems like a great idea but often times multiple AV products conflict with each other. Some even read AV scanning processes of another as malware and will try to shut it down. Just pick one and stick to it.

What do I do now?

Step 1: Install AV on every system you use to browse the Internet, Windows, mac, and Android smartphones. Check with your ISP for a free copy of a commercial product, or download a free one from Microsoft, AVG, or Sophos. If you want to, spend the money...but it won't buy you much.

Step 2: Keep it updated. Most AV products will automatically update themselves at least daily with new detection capabilities. Check your AV regularly to see the status and update if it's more than a few days behind.

Step 3: Run scans often. I used to run full system scans weekly on all my computers. I've relaxed that a little, but it's still good practice. If the scan finds something, accept the recommended action to remove or quarantine the item.

Step 4: Don't panic when you get infected and don't get mad at your AV product. If it's up to date, then chances are pretty high that the "other AVs" wouldn't have caught it either.

Step 5: Don't trust any "virus" or "worm" or "infection" warnings from websites. They are likely fake and trying to get you to install a fake AV product which in fact is probably malware.

Hope this is helpful to someone.

-Matt