Netsafe executive director Martin Cocker says a diagnostic tool has not yet been produced that will recognise all the signs of a security threat and still be comprehended by a typical home user.
Cocker was responding to questions after security company Symantec demonstrated the workings of some subtle strains of malware. With reputable websites now being infected by malware, the message “stay away from obviously shady websites” is no longer enough, says Symantec group product manager for endpoint threat protection John Harrison.
Likewise, it should be made clear that the message “keep application patches and enhancements up-to-date” applies to all applications. Not enough emphasis is put on this, he suggests, with many computer users thinking it’s enough to update their operating system and perhaps their browser.
Malware also attacks vulnerabilities in applications such as the Quicktime video player and iTunes. Even a fairly large business may not think to put in place a patching regime for iTunes, Harrison says.
The Netbasics section of Netsafe’s website does emphasise that “all software should be kept up-to-date”, but this advice comes only on the second page of its “updating for security” section, brought up by the link “find out more”.
“If you’d gone to the page in 2005, you’d have found us talking about operating system and browser updates”, says Cocker; “but that was obviously in need of updating.”
Regarding “dangerous” websites, the advice on the Netbasics site is “only trust websites that you can verify to be legitimate”. Cocker acknowledges that any site can potentially be infected, but says it is impossible to keep up to date on all such infections, even by regularly updating malware detectors. “Symantec does a very good job,” he says, “but even they can’t keep on top of everything.”
At a meeting in Sydney earlier this month, Harrison demonstrated that there are telltale behavioural signs of a drive-by download infection. An attack of this kind will typically spawn a swarm of unknown processes, which can be seen with a process monitor such as that in Windows’ Task Manager.
He demonstrated Symantec Endpoint Protection raising an alert and choking off such suspicious behaviour.
“Who knows what all those processes do anyway,” says Cocker. A typical home or small-business user would not understand which processes are legitimate and which are suspicious. “The kind of people who have the expertise to do that are those who are savvy enough to protect themselves anyway.”
One Symantec solution to the problem of attacks on formerly trusted applications and sites is its Quorum technology, which establishes a reputation score for any file based on the experiences of tens of millions of users of Symantec’s software worldwide.
If a file about to be downloaded shows up as having given no problems to a significant number of users, it’s probably safe, but if it has been downloaded by relatively few users, caution is advised.
• Stephen Bell travelled to Sydney as a guest of Symantec.