‘State-sponsored banking virus found in Middle East’ ran the
recent headline, referencing the latest cunning plan to fleece banking
customers of their access credentials, but the article’s conclusions struck me
as flawed for a number of reasons.
First and foremost there is nothing new about malware
stealing banking access credentials - as my last blog pointed out, ENISA
guidance now states that banks should assume that such malware is present.
But the real red herring here was that this was being ‘state-sponsored’
– if a state wants to take money from a bank, it has far more straightforward
methods of achieving it – just ask Standard Chartered, HSBC or Barclays over
the past few weeks! In reality, ‘state-sponsored’ viruses are more likely to be
aimed at damaging centrifuges for uranium enrichment, or disrupting the
effective automation of oil production facilities, for two obvious Middle East examples.
These are ‘clear and present dangers’, to coin the US term, for these
industries, who surely ought to be investing heavily in preventing such attacks
from proliferating. But, this being a blog on Finextra rather than CNI weekly,
my concern is that for banking to use comparisons with Stuxnet and Flame in the
same breath as ‘state-sponsored’ strikes me as being an attempt to reclassify
simple online bank fraud as more akin to Force Majeure.
This brings me back to where I had left off on the last
blog, following which a number of people contacted me with queries along the
lines of ‘how do I ensure my customers keep their anti-virus (AV) up to date?’,
‘I provide them with free AV, isn’t that enough?’, or more simply ‘Help – what
should I do?’ – for today, I’ll look at the first two.
ENISA didn’t specifically go into the issue, but the
underlying premise is that you should assume your customer’s machine is
infected not because they’re careless or don’t have security on their computer,
but because the current generation of AV solutions have fundamental weaknesses.
The most obvious flaw is in the very nature of the way they
operate, looking for a ‘signature’ to detect what is or is not known to be
malicious. This means that they essentially rely on someone becoming infected
before they can identify what infected them, hence the basis of zero-day
attacks, where a new strain of malware passes through undetected by its very
nature. Then the virus can lie hidden until such a time as the attacker
unleashes the payload, whether it’s a criminal after your bank credentials or a
foreign power interfering with the smooth operation of that nuclear centrifuge
you keep in your garage (what, just me?).
Enex test labs, the UK Government’s CESG approved security
test lab carry out monthly analysis on the major AV solutions providers, and
over the last year (to August 2012) they have caught an average of just under
93% of viruses, falling as low as 63% in one month’s test. And in a separate
analysis in August 2010 Cyveillance found that even after a virus had been out
in the wild for a full month, only 61% of solution providers could identify the
threat. More contentiously a report by another research group, Carbon Black,
reported in the Register (http://www.theregister.co.uk/2012/08/23/anti_virus_detection_study/)
suggests that where an AV solution doesn’t identify a new strain within 6 days
it never will – I won’t wade into that debate on these pages, as that is far
too much detail, but the underlying point is clear.
So if we can’t rely on signatures, what should we be looking
for? White listing (only allowing known good) is logistically too restrictive
to deploy, and as customers will have online relations with multiple banks,
retailers, public sector bodies, etcetera, there’re far too many applications to keep track of. A number of universities are researching novel approaches towards the next generation of AV solutions, and some techniques are now beginning to emerge commercially,
but they have yet to reach the mainstream.
Little wonder then that ENISA conclude that banks and other
organisations should assume their customers’ machines are infected, given the
constant barrage of attacks. But let’s not blame the Government – ours or
anyone else – if the AV providers use a flawed methodology and the banks (or other bodies) don’t adopt measures to counteract interception of access credentials, we should look to blame them, rather than spooking the market with the actions of some sinister