14 Feb 2014

People behind the scenes keeping the web safe from hackers

We’re used to seeing police officers protecting our streets – what about the people who guard our computers? There’s an entire industry of researchers, investigators and enforcers fighting the bad guys who seek to profit from our seemingly unstoppable move to online life.

Who are they? A fair sample of them are here at Kaspersky’s Security Analyst Summit. Virus experts, privacy campaigners, benign hackers – I even had lunch with a couple of nice, clean-cut chaps from the FBI (a designation absent from their name badges).

But what exactly are they up against? Let’s take an example: When you visit a website, your web browser (eg. Firefox, Chrome, Internet Explorer) reads and enacts the code to create the web page you see before you. Let’s say a bright young computer whizz-kid realises that, if she inserts a particular piece of code into the website, it can force your computer to download a nasty piece of software.


This software sits, unnoticed by you, on your computer and calls out over the internet to a server thousands of miles away. The server then starts sending your computer more and more nasty bits of software to, say, switch on your webcam, take screenshots, hoover up your Skype traffic, etc. (This is pretty much the exact MO of the “Mask” malware exposed today by Kaspersky’s senior security researcher Costin Raiu and team – it’s been up and running since at least 2007).

From this springs an entire chain of ill-gotten gains: the clever bod who first found the flaw can profit by selling it on the black market, or to any of the “exploit buyers” who will pay tens of thousands for fresh vulnerabilities.

Once acquired, the virus can be rented out to criminal gangs who use it to target companies, public institutions and individuals. The data stolen using the virus may be smuggled out using a network of compromised computer servers (and the criminal who owns that network will get a cut of the money too).

Finally, the data will be carved up and used to compromise bank accounts, set up fake identities, and potentially form the basis for more finely-honed phishing attacks on the original victim.

Up against this shadow industry is a coalition of law enforcement, technology companies, assorted academics, researchers and, well, geeks. Some are involved in trying to cut off the trade at the beginning: Microsoft’s Katie Moussouris today outlined her company’s efforts to pay those who discover security flaws in Microsoft products, in a bid to lure them away from selling the information to the black market.

Some are trying to spot the viruses before they spread: Kaspersky’s lead threat researcher Nikita Shvetsov sees millions of samples of malicious code, but reckons the black market industry is as big, if not bigger than its legitimate tech security counterpart.

Then there are those that try to work out which computer servers are delivering the malicious software, to try to set up a blacklist of servers known to be involved in malware campaigns.

And there’s the sharp end: the law enforcement officers who have the gnarly job of not just locating the bad guys in the real world, but trying to organise arrests in global locations (as one speaker said today: “Six mouse clicks take them across four countries”).

Into this world, the revelations of Edward Snowden have come as a long-suspected but unwelcome extra headache for many. Much as the US and UK governments insist they operate within the law, for tech security workers a threat from nation states is as bad as a threat from a criminal gang.

They are paid to secure their clients’ systems, whether that’s against cybercrooks or spies from China, America or anywhere else. And as more and more of us go online for everything from banking to shopping to socialising, the challenges are only going to grow more complex.

Follow @geoffwhite247 on Twitter