The Early Bird Avoids the Worm (and Other Malware)


The speed with which malware is released onto the Internet is startling, and is causing security vendors and their clients -- at least those that are not in denial -- to react with equal speed. Indeed, the speed with which companies and their security vendors react perhaps is the most important single element to avoiding or containing security problems.


This week, McAfee introduced an application called Artemis that uses cloud computing to respond to suspicious code found in computers instantaneously. It will be marketed next year as the Active Protection feature in its software. Essentially, McAfee software will do its job as always. When it finds something that it doesn't recognize, however, it won't just wait for a new batch of signatures. It will send a message to the McAfee cloud-based database, which will send the required software. This will happen instantaneously and, theoretically at least, no challenge will go unmet for any length of time.


Crackers have automated their initiatives, allowing them to react more quickly. So now even folks with no expertise can take a whack at corporate and consumer systems. This is at least partly the result of the move of organized crime to the Internet. Once the bad guys get organized and set their sights on financial gain, it's inevitable that they will look for easily repeatable ways to find vulnerabilities. So IT must be on its toes, too.


Earlier this year, for instance, Computerworld reported that a hacker group called The Cult of the Dead Cow released an open source tool designed to give IT professionals a fast way to find vulnerabilities. The story provides an overview of the tool, which is called Goolag because it uses a collection of Google search terms. The problem, of course, is that malicious hackers can use the tool for the same purpose.


At the recent DefCon, security researcher Mike Perry said he is close to releasing an automated tool that could help crackers steal information from sites that users think are secure. Many sites that connect to users via Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) don't encrypt after the initial login page, he says. A second problem is that some companies don't mark cookies as secure, making it possible for crackers to steal them and impersonate their owners. Perry claims to be trying to get the major sites to pay attention to these flaws. He says he will only release the tool when it becomes apparent that they are not taking the situation seriously.


While the move to leverage the cloud clearly is intriguing, there also are less dramatic steps that can be taken. This InformIT article provides a tremendous amount of background on the current situation and makes a few suggestions on how to get patches more quickly into the field. The most noteworthy is bypassing lab testing because patches rarely cause serious problems. Of course, this approach should be used with caution, especially if the systems being patched are mission-critical. Tweaking the change control board (CCB) -- the system of approvals needed for various patch initiatives -- also is possible. Finally, instituting multiple patch-distribution points can speed relief.