ESET Press Center
Why Even Well-Known Websites Can Become Infected And How Consumers Can Stay Safe While On The Internet
Complete Transcript of Interview – Randy Abrams - ESET
Let’s Talk Computers Radio Talk Show
Host Alan Ashendorf
December 5 2009
Alan: If you think that by only going to large, well known Website that you are not going to be at risk for having your computer infected – you had better think again! Our guest today is Randy Abrams, Director of Technical Education with ESET. Welcome back to Let’s Talk Computers, Randy.
Randy: Alan, it’s great to be back.
Alan: If you just go to very large Websites, you cannot be 100% safe just by going to these sites. It’s so easy for that site to be infected and they won’t even know it, will they?
Randy: Well, they find out very quickly because at these large websites there are a lot of people encounter things. It’s important to remember when it comes to security, and not just computer security, you can’t eliminate risks. There is always going to be some level of risk - so what we do is we try to manage the risk. So what we do is we try to bring it down to an acceptable level.
Alan: How are these sites infected? You would think that they have a large IT staff. You know that they a very big Web development staff. So, how do they become infected?
Randy: Well, there are a variety of ways. In some cases you’ve got people that are doing security wrong. Most of those sites do have talented IT people and the way those sites become infected. If there is a zero day vulnerability, something that nobody knows about and they don’t get all their layers of defense in place properly then a hacker can go in and gain access to that Website and debase it or add malicious code.
Normally, it’s not really the Website that becomes infected. For example, the New York Times Website was serving up rogue anti-virus. It wasn’t the New York Times Website that had been compromised, really. What it was was an advertisement. The New York Times had their own content, the stories that are on their server.
But, when you go to their Website, the front page comes up in your browser, but the advertisements are not actually on the New York Times Website – they are on a different Website. If the ad agencies aren’t diligent in making sure who or what they are dealing with then they funnel that malicious software to the large Website.
Alan: I think the misconception is that we are going to a Website and we are viewing a page. We are not really viewing a page at all, are we?
Randy: No. Actually what you are viewing is the result of a whole bunch of programs, telling the computer what to display. When you go to that Web page there is a lot of HTML, which is the language of the Internet, if you will and it says, “Display this text in this color and this font size here and go out to this other Website and grab whatever it says is ‘here’,” and whatever says is at that location is out of the control of the New York Times Website. You just have to trust that those people are doing it right.
Alan: It’s like reserving this spot on a page that the browser, itself is going to render, but this spot is “for hire.” Advertisers reserve that spot and they can put anything they want in there and that’s where the problem comes in, doesn’t it?
Randy: It is. They can put anything they want, within reason. Typically, they want to put good space content because they want to do business. But, with the desire to make a few bucks, sometimes they get people to take shortcuts and they don’t do their checking to make sure they are actually dealing with a trustworthy individual – which they are in 99.9% of the time. It’s really difficult to do diligence and it’s the other percent that bites you
Alan: It’s t he JavaScript that gets us in a lot of trouble, too – because people don’t realize that you’re not just serving up HTML pages; you have dynamic content and then you also have JavaScript. How does that bite us?
Randy: JavaScript is a type of dynamic content. Dynamic content really, just means that it can be changed at any point; it isn’t static and it doesn’t stay put. JavaScript is a very powerful programming language and we can do great things with JavaScript, but any tool that can be used for good can be used for bad. So, the “bad guys” use JavaScript to create programs that will allow them to infect your computer.
Alan: We are seeing the days of Script Kiddies being gone a long time ago; Now you have kits on the Internet where anybody can basically download it and add to it, can’t they?
Randy: Exactly. There are the kits and kits have actually been around for quite awhile, but they are getting much more sophisticated. More threatening is that you get professional programmers that have been hired by the bad guys to get malicious software onto your computer to make money by installing bots on your computer and renting your computer, out. They make money by faking clicks. When you click on an advertisement, someone gets paid. And they make your computer look that you’re clicking on ads that you don’t even see.
They also make money, that way and sometimes what they do is try to install rogue anti-virus software that makes a person think that their computer is infected, when it’s not (until they actually install the program) and they usually charge a hefty sum of money for it.
Alan: I saw a quote that you put out some time back “that if you compare the first vacuum tube to the most powerful computers in the world today, when it comes to computer security, much of our societies have not even seen transistors.”
That’s scary when you talk about it, because we are so far past transistor technology that most people don’t even know what you’re talking about when you are talking about a vacuum tube. And that’s where they are, aren’t they?
Randy: Exactly. There is a lot to do better in terms of computer security in or society and what it really needs to be taught in the elementary schools. Things like social engineering; how to protect against social engineering need to be a part of our social curriculum so that people are educated on it; from the time they enter elementary school.
Alan: It’s not just the news organizations, because I remember some time back drive-by install got put on a Website during the Super Bowl.
Randy: The Miami Dolphins Website was attacked and it serving up malicious software fortunately ESET users were protected against this because we proactively detected that trojan at least six months before we ever saw it.
Alan: Also one of these big, online job search Websites where you go to find lots of information about an employer and lots of information about getting a new job – it got compromised.
Randy: Monster.com suffered a data breach where a lot of their records were compromised which meant that the bad guys had more information about job interviews from monster.com.
Alan: You know, just the fact that the data got compromised, this is a big eye-opener, isn’t it?
Randy: Oh, yeah, when that data was compromised, it can be used for social engineering attacks, because then people can send you an email, saying for example, “I saw that you were looking for a job on monster.com and we have this opportunity for you. Just click on this document (that’s not really a document), but its malicious software that executes that infects your computer.
When that data gets compromised you might think, “Well its no big deal, I put my name out there because I’m looking for a job.” But, you’ve got to understand that when that data is stolen the bad guys have it and will try to use it against you.
Alan: Any time you get an email that has some kind of verifying information (your name, you address, even your phone number) we look at it and say that “That must be legit because they wouldn’t have that information unless I gave it to them.” That’s not true, is it?
Randy: No, and in many cases you have given them lots more information on these social networking sites. That information, if it’s stolen from an online site is not essential public information. You know, I’ve got an email address – askeset@eset.com and I don’t send that says Dear Randy. It knows me by name, but it doesn’t mean they have ever met me, it’s public information.
Alan: We get tons of emails every single day and it’s so easy to accidentally click on the wrong link and now we’ve launched something and we don’t really understand that we have launched it. It would be great if we had Websites out there that once we click on something, they pop up a message saying, “This is what would have happened if I were a real bad guy and this will show you what I could do to you.” That would have been an eye-opener, wouldn’t it?
Randy: There have been attempts to do things like in the past. It’s been done with phishing websites, where it doesn’t say that this is what I could have done, but it says, “You came to this website because you clicked on a link that you should not have that was a phishing attack.” That’s one way to help educate people.
One of my all-time favorite stories was I was working at Microsoft and the Love Letter Virus made its rounds so I got the names of the people that had clicked on it and I set a training presentation, specifically to educate them and sent it out to them. I put a follow-up email with JavaScript in it that popped up a message box that you clicked on the JavaScript - you had to click on it. And it said, “If you are reading this, you really need to come to our training program.”
Alan: This is where your heuristics comes into play, because we cannot plan for every virus or every malware that’s out there because it’s constantly changing. We have viruses and malware that you go to a site and the next time you go that site it’s completely different. This is where you have to have heuristics, isn’t it?
Randy: Yes, it’s really important to have a forward looking system, it’s something can help you identify that this is bad and you don’t want to run it before we’ve seen it before. That’s what our heuristics is about. We can’t stop everything; we can’t catch everything, but we can give you a much better chance of not getting infected by something that’s brand-new.
Alan: You have to keep your anti-virus and anti-malware software up-to-date because not having it up-to-date is almost worse than not having it all, isn’t it?
Randy: I don’t know if it’s worse, but certainly is not very effective. The analogy I used to use when I was doing training was, “I would show a F-S6 Saber Jet, which was the premier jet back in the Korean conflict that had an amazing kill ratio and then asked people – Even with this being a marvelous machine but how long do you think it’s going to last in a battle against modern-day fighter jets?
That’s what happens; only it happens in a week or less with virus and malware is that you are fighting to today’s battle with yesterday’s weapons when they don’t keep up-to-date.
Alan: And if we wanted to try either NOD32 or ESET Smart Security to see how effectively you can block malware, you have Trialware of each of these software versions on your Website. Are they fully functional?
Randy: 100% fully functional. It does everything that the purchased product does, except we will give you an opportunity to test this out and give us a trial before you buy.
Alan: If somebody would like to find out more information about ESET Smart Security and NOD32 and your blog, where would they go?
Randy: http://www.eset.com and if you go to the Threat Center, we’ve got the blogs; we’ve got podcasts and White Papers. There is a lot of information on our Website.
Alan: Randy, we’re out of time and we need to continue this conversation, talking about why education is really the keep us safe when we’re surfing the Internet, next time.
Randy: Thanks, Alan, it’s always a pleasure and I look forward to coming back.
