The UK National Crime Agency (NCA) has warned that thousands of computer systems are still susceptible to the twin risks of Gameover Zeus (a variant of the Zeus banking Trojan) and Cryptolocker (ransomware that encrypts files and demands payment in return for the key to unlock them), even though users were advised to take action to secure their systems two weeks ago.
On June 2 the Gameover and Cryptolocker operations were severely disrupted as a collaboration of law enforcement agencies, security experts and ISPs worked together to identify and seize a significant amount of the infrastructure behind the threats (Naked Security has a comprehensive timeline of events here).
This, according to the NCA, opened up a small window of opportunity for users to take the necessary action to clean their systems of the malware, and so help prevent future infections.
The reaction from the public at first looked promising as a flood of visitors crashed the government-funded Get Safe Online website which had been touted as the go-to place for advice on how to protect against the pair of threats.
But now, as the original deadline for mitigating against the threat has passed, it appears that a large number of users have done precisely diddly-squat to protect themselves.
Why is that and whose fault is it?
Dwayne Melancon, CTO of Tripwire, suggests that human nature and a lack of interest in security issues is to blame:
“The majority of the public haven’t been paying attention to this issue, which is how we got into this situation in the first place. Many of the recommended actions fall into the category of “good hygiene” in the computing sense, but it is notoriously hard to get the average user to keep things secure and up to date. Therefore, while I think this was a good idea, I’ll be surprised if it makes a material difference in the reach of the botnet.
I doubt there will be any significant difference in the numbers of zombie systems involved in the botnet. When you look at longer term warnings such as Windows XP being phased out, they tend to go unheeded by the average users. Likewise, even in the face of persistent, shrill warnings about using strong passwords, ‘letmein,’ ‘monkey,’ and ‘jordan’ always make the top 10 anytime password breaches are disclosed. Why would this two-week warning be any different? Unfortunately, most will not heed it – that’s human nature. Hopefully, those of us who heed these warnings will be safe enough from those who don’t.”
David Harley, senior research fellow at ESET also makes the point that users are set in their ways, highlighting how those who do not heed security warnings in general are not likely to suddenly sit up and pay attention to this latest advisory. He also notes that the majority of the security advice being given out is the same old same old stuff that we’ve heard many times before:
“The advice that’s been circulated is, as far as I can see, is highly generic: use security software and keep it updated, make sure your systems are being patched, use good password management practice. Good advice in principle, but I suspect that in general, people who aren’t doing all that already are probably not going to start doing it because CERTs or the FBI are recommending it. After all, security commentators make the same recommendations that tend to be made for self-protection even when there is no specific hot story to hang it on.”
Calum McLeod, VP of EMEA at Lieberman Software, suggests that IT-illiterate home users are the root cause of the problem and wonders how we can train and motivate (what must be the majority of the population) to disengage from risky online behaviour (something I too considered yesterday, concluding that security awareness needs to stop being a business ‘problem’ and, instead, become a mainstream subject taught at school):
“As far as the consumer goes, it’s a lost cause. How do you educate an IT illiterate population about the need to disable privileged access on their home PCs, and stop watching videos of puppies running around! Maybe we need to consider an “IT driving license”. We don’t let people drive cars until they demonstrate that they’re not a danger to themselves and others, and maybe the same needs to apply to the Internet. The likelihood is that most CSOs would fail!”
McLeod also seems to think that security isn’t ‘sexy’ enough in the eyes of a public who have far more interest in the World Cup (which itself isn’t free of security threats) and politics:
“As far as anyone taking steps to protect themselves, most are more worried about the World Cup, Ukraine, and nutters in Iraq than they are about botnets. In any case since it’s yesterday’s news in the main stream media who are more concerned with overpaid footballers than criminal activities on the net.”
He is also concerned that the insecure practices of some users could have consequences for senior security professionals, saying that:
“As far as the botnet goes, it’s just like the flu. If it didn’t infect you this time, the next one will be along soon, and since no one seems to worry about catching it, it’s only a matter of time until some CEO/CIO/CSO is looking for a new job on the back of putting their company on the front page, and some member of the public gets their 15 minutes of fame because some nasty criminal stole their life savings after they watched some video on a social media site.”
McLeod doesn’t stop there though. He also believes that the security posture adopted by some businesses leaves something to be desired and argues that the lackadaisical approach adopted by some constitutes a criminal offence that may warrant a prosecution:
“For businesses the famous quote attributed to Benjamin Franklin is probably the most appropriate; “God helps those who help themselves”. There comes a point where the failure of businesses to take adequate steps to protect themselves leaves them deservedly at the mercy of the cyber criminals. At what point does the failure of businesses to address the fundamental cause of infection, namely controlling privileged access to systems, mean that they should either be prosecuted for their failure to take the necessary steps, or that insurance companies cancel any liability policies these organisations have? The Mandiant M-Trends 2014 report categorically states that 100% of breaches resulted from compromised credentials, and yet businesses continued failure to address this fundamental issue is in itself a criminal offence!”
Furthermore, he believes that security vendors have a larger role to play in ensuring that business users have adequate protection from Gameover Zeus, Cryptolocker and other threats, arguing that they should back up their claims with liability insurance:
“At the same time it is maybe time that businesses also asked security vendors to carry liability insurance. If you’re claiming that you have innovative solutions to protect against a threat landscape, you better be prepared to put your money where your mouth is. It’s time vendors who offer vapourware were exposed as the charlatans that they are, and it’s high time that customers start reading the small print and realise that many of those so called APT solutions are nothing more than a marketing department’s dream.”
Amichai Shulman, CTO of Imperva, has an altogether different viewpoint which takes the emphasis away from both home users and business. He argues that that, whilst individuals do need to take some responsibility, they cannot be expected to repel a crime that is ultimately not their responsibility:
“Repelling cybercrime is not the responsibility of individuals. This ritual of botnet takedown announcements (remember Cutwail) has been repeating itself for too long. Yes, people should make an effort to protect their digital assets – a reasonable effort. We’ve already squeezed all the juice from the “don’t open weird attachments” lemon. It’s done. It’s over. People use the Internet in order to receive content from unknown, needless to say untrustworthy, individuals. Security people and law enforcement should have realized that by now.”
Instead, he says, law enforcement should be prepared to take a far more active role in combating cybercrime:
“I think that more than anything this announcement puts emphasis on the poor posture law enforcement has with respect to cybercrime. Imagine the local police announcing a two week grace period in which the local gangs are “weakened” (with no further explanation) and urging everyone to use this grace period for installing improved window bars, more sophisticated alarm systems and in general be more cautious when they leave their homes after the grace period is over. This is absurd.”
Shulman ended by saying he didn’t expect cybercrime to go away any time soon but he hoped it would be reduced to a more palatable level in the future. That hope, he says, will not come to fruition if we expect the man in the street to be a security expert:
“I don’t expect cybercrime to become extinct (much like regular crime is here to stay), I do expect it to be reduced to an acceptable level – this is the responsibility of law enforcement. I do expect to people to reasonably look after their digital assets. However, you can’t expect anyone with an online bank account (practically everyone) to be a cybersecurity expert – that’s the responsibility of the banking application provider.”
So, with thousands of users taking no action to protect themselves from Gameover and Cryptolocker, who can we blame?
Is it the average user who cannot be bothered to protect themself, or who isn’t yet aware of the threat, or perhaps doesn’t have the basic skills to take or understand the required action?
Is it the fault of the business owner or security function that has taken inadequate steps to secure their systems, possibly even flouting the law in the process?
Or is law enforcement to blame? After all, our taxes pay these guys to protect us, so why don’t they?
Or perhaps there is another factor here. Is it not possible that the issue goes somewhat deeper and that the underlying problem is that we live in an age where new technology is running away from us?
I believe that the capitalist, have it now, need something new and shiny today society we live in drives such a need for new tech that we never actually get a chance to stand back and think how we are going to secure all these new devices and services. Let alone educate the population on how to best protect themselves.
As I wrote yesterday on Brian Honan’s blog, security training and awareness is for everyone and shouldn’t just be limited to the business environment where it is (likely) only part of a box-ticking exercise.
It needs to go much deeper than that – we need to educate our children from the moment they first pick up an internet-enabled device. If we don’t then we will find that we’ll still be talking about an IT-illiterate population and lack of motivation to protect ourselves 30 years from now.