|
By Tom Groenfeldt
I had Norton Internet Security running on my PC and every once in awhile it picked up a cookie and asked me if I wanted to fix it. I usually did.
However it wasn’t Norton, but a few dozen tech-savvy friends who started forwarding me an e-mail, “Christmas, Happy,” which had come from my AOL mailing list to their inboxes, warning me I had been hacked. A quick search through the AOL Web site showed no place to complain about outbound spam or any way to see if it was continuing. I turned to Norton’s site and although it didn’t specifically point to a spot to complain about spam, I clicked on some notification field and got through to a rep on e-mail. Two hops later I was paying $99 to work with tech people, probably in India, to get my computer cleaned up.
So why am I paying Symantec for software and paying again for them to clean up a problem they should have prevented? Obviously they have a system set up for this, as does McAfee, although they appear to be $10 cheaper. I took advantage of their 7-day guarantee to get them to clean up my computer three days later when a virus appeared again. They didn’t say if it was the same one, or if they could identify the virus, they appeared to clear out all the usual suspects.
“The way most of the vendors do PC security makes it very easy for the bad guys to circumvent their software pretty quickly,” said John Viega, vice president of engineering at McAfee and author of a new book, “The Myths of Security: What the Computer Security Industry Doesn’t Want You to Know.”
“The technologies generally have not gotten good enough fast enough, and there hasn’t been the best collaboration between vendors, even though they do collaborate,” he added. They are getting better, but some vendors, who market by publicly announcing vulnerabilities in popular software packages, do more to hurt than help.
CIOZone recently reported on a McAfee prediction that Adobe will become the most commonly targetted applications for hackers, noting that the company “took some heat in 2009 for the speed with which it responded to cybercriminals’ exploitation of its products. On March 10, Adobe issued a patch for a Reader and Flash vulnerability that hackers had been taking advantage of since January and had been publicized by the Shadowserver Foundation in mid-February.”
“Anyone who could criticize Adobe for a delay has never worked on a software engineering project,” said Viega. If critics refrained from going public while the fix was under development it is unlikely any hackers would find the vulnerability on their own, he added.
“It can take quite a long time to develop a solution, and the change might require changes in the underlying architecture,” he said. “I have seen occasions where that took months and then QA took months as well. Then it will be months before the average customer gets around to upgrading, so the result is a massive period of vulnerability which should be on the shoulders of whoever publicized it.”
In his book, Viega describes what it will take to improve anti-virus software from its current 30 percent to 60 percent interception rate to something closer to 100 percent. If anti-virus vendors developed a real-time collective intelligence system they could respond to threats much more quickly.
Meanwhile, vendors can analyze software to search for suspect code from unknown vendors and then check it for encrypted sections. By drawing on millions of users around the world, security vendors can use their customer base to identify dangerous software.
“McAfee is moving steadily in that direction and Panda Software is moving that way too,” said Viega.
Meanwhile, what does he make of the fact that my virus returned three days after Norton had removed it and had to be removed once again? If Viega was surprised, he hid it well.
Viega suggested using another, clean computer to change all the passwords on all my accounts, from banks to Facebook. Malware on a computer will try to capture all the passwords. Then, after backing up applications, reinstall the software, starting with the operating system.
Would I do better with a Mac? Yes, he said, because they aren’t as widely used and therefore not such a popular targets for hackers. “The Mac is at least as buggy as everything else, but it is less of a target,” he said.
The e-commerce industry response has been muted so far; banks will generally pay for any losses incurred by individuals; meanwhile their back-office systems are pretty secure and well protected, so the losses tend to be by one customer at a time.
Bank of America now offers SafePass, a one-time password generated by a wallet-sized card or sent to the customer’s cell phone. Viega, a fan of the cell phone for pass codes, covers Bank of America in his book. They are having some operational problems with SafePass but are on the right road, he said.
Only registered users can write comments.
Please login or register. |
