Nick FitzGerald, AVG's Christchurch-based emerging threats researcher, is a former editor of the UK's prestigious Virus Bulletin publication. Computerworld asked about his role, the threats he's seeing and how users can boost online security.
Of all the emerging threats you see, which should business users be most concerned about and why?
My biggest concern is the continuing ease with which the organised crime groups behind most malware these days act much like other legitimate businesses. They buy professional advertising served by legitimate ad-serving networks, and yes, even the biggest ad networks.
These ads then appear on perfectly legitimate websites that your employees quite likely need to access to do their work.
The risk here arises from the attitude common among certain business IT folk that “we have a firewall to keep out worms and other network vulnerability-based attacks, and content filters to stop employees browsing porn, gaming and other ‘dubious’ sites”.
This attitude means that many business networks fall well behind on OS and application patches, and exploiting such unpatched machines is stock-in-trade for the drive-by download routines commonly used by the criminals referred to above.
The web is appears to be the main attack vector now, with infected websites. To what degree do users and web developers have to take responsibility for this?
Hugely. If you’re a web developer and can’t recite the OWASP Top 10 and the tools and methods built into your development cycle to ensure that your code doesn’t fall foul of them, you should be deeply worried.
If you’re a web developer and your reaction to the previous sentence was “What’s OWASP?” you may want to reconsider your choice of occupation.
For users, it’s a great deal harder, but as a first step, just be a darn sight more sceptical. The web mostly is not free, despite what its proponents would like you to think. Much of that apparently free content is, directly or indirectly, provided by people who largely hope to eke out a living by selling advertising or taking a slice of that advertising through click-through pay-outs and the like. There are many opportunities for the less scrupulous to abuse these systems.
New Zealand has featured as both the source of viruses, spam and of botnet attacks over the years. What activity do you see coming out of New Zealand now, if any? Why do you think that is?
New Zealand is not featuring significantly in my view of things.
What are the main drivers of online attacks now and where do they emanate from?
It’s all about making money. Well, that and laundering the ill-gotten gains of the other operations of organised crime behind most cybercrime. This could be the proceeds of prostitution, child pornography, gambling, people smuggling and so on.
They also make money by selling bogus software, mostly the so-called “rogue anti-virus” (and anti-spyware and anti-spam) and dubious to outright worthless “performance booster” software we’re seeing as a huge problem at the moment.
They make money by stealing identity information and plundering bank accounts, making fraudulent credit card charges and so on. They fence stolen goods (or ones bought with stolen credit cards) through “work at home” schemes. “Employees” in these schemes are also used to launder money and as go-betweens (commonly called “money mules”) for transferring money from compromised bank accounts to the actual criminals — “Withdraw 90% of this transfer to your account as cash and send it here via Western Union”.
Most of the bad stuff we see eventually traces back to Eastern Europe (the former Soviet bloc mainly), SE Asia and South America.
As a former editor of UK-based “Virus Bulletin”, what´s it like being insider in the security software business as opposed to an outsider?
In many respects, the Virus Bulletin is really the industry magazine for anti-virus developers and researchers. Aside from being editor I was also the technical expertise of the magazine, so that position was really an inside/outside position.
There was stuff the industry didn’t want me to know as a “journalist”, but there was stuff (often about their competitors!) they did want to talk about. Overall, I think it was a rather privileged place from which to be a reporter focused on that industry, and unlike such a reporter working for other media outlets.
You are a contractor to AVG based in New Zealand. What are the benefits of that arrangement and the drawbacks?
As a contractor I have greater freedom in negotiating what I work on and who I work with. I see no drawbacks.
What threats do you think we can expect to see emerging over the next two years?
I don’t make these kinds of predictions as they have a notoriously poor track record. With malware and cybercrime now being almost exclusively driven by organised crime running on a business model, changes are largely driven by criminal cost/benefit analysis of opportunities and risks.
At least in the short to medium term it seems likely we will see further use and abuse of social networking or more generally “Web 2.0” (properly pronounced two-point-uh-oh) technologies. This is because interest in, and use of, these is still growing and recent history shows us that organised crime is apparently able to make good money through these channels.
Name: Nick FitzGerald
Title: emerging threats researcher
Location: Christchurch, New Zealand
Favourite restaurant: Restaurant Schwass, Ferry Road, Christchurch — excellent!
Most recent read: Technological Turf Wars: A Case Study of the Computer Antivirus Industry by Jessica Johnston. This is an interesting interview-based study of the antivirus industry.
Favourite place to visit in New Zealand: The Coromandel, but my morning walk around the cliffs here is not a bad substitute.
Worst job: Truck driver. This was not actually a bad job, just not as good as the others.
First computer: PC XT clone with 640KB RAM, two 360KB floppy drives and a massive 30MB hard drive. IIRC, it cost something like $2,400.
What keeps you, Nick FitzGerald, awake at night: Coffee! Seriously though, I've become so cynical about the state of affairs that nothing worries me that much.