By Ondrej Krehel,
Ever take a long awaited vacation and sit down to order your first Mai Tai, only to find your credit card has been locked? Ever felt excited to make a major online purchase—plasma and 3D!—only to find it didn’t go through?
Inconvenient? Sure, but these measures are protections credit card companies put in place based on your spending profile.
Profiling to prevent theft by targeting malicious software is a developing component of computer security. Take for example the case of . SpyEye is an evil little piece of malware that harvests online banking credentials and initiates transactions when a user logs into his account. Who knows how many panic attacks it’s responsible for; victims can literally watch their balances falling.
The banks, aware of SpyEye and programs like it, have designed protections based on common identifiers such as IP addresses and user behaviors such as the amount of time they usually spend on a site and the time it takes a user to complete a transaction. Malware programmed to act instantly or IPs from Latvia (when the account holder lives in Missouri) locks the account—just like that credit card of yours in Hawaii.
Sounds effective, but that’s not the end of the story. SpyEye, and many other black hat tools for conning and scamming, . SpyEye programmers have now built in evasion code, which tries to mirror user site patterns. The attempt is to emulate normal user patterns. How successful this morph has been is unclear, but one security vendor has said SpyEye is growing – expanding the number of countries it’s operating in and institutions it’s targeting.
Morphing—the automatic modification of code—is not new in malicious software. Virus builders have long built algorithms into their code that changes the code, thus avoiding detection. Any good Trojan virus comes standard with morphing code these day, so you can’t find two machines with the same Trojan with the same binary.
This is the problem with traditional antivirus and antimalware software. They’re essentially powerless against the latest and greatest morphing code. White hats are working to change that with heuristics, which profile your computer much like the credit card companies profile your spending. But there are significant resources problems with heuristics, which I will address with more detail in my next post.
This dance between the black hat thieves and white hat security firms has been going on for more than 20 years and it will continue for another 20, perhaps even after I’ve retired. Your computer, your phone, your social network, all your online activities inherently cannot be completely secured. This is something most of us have known for a long time, but as we’re pushing toward putting more and more of our lives in the digital domain it’s a point that can’t be emphasized enough.
Next time I’ll look at heuristics in more detail and discuss how it applies to online identities. Knowing how and why a system is fundamentally insecure is the first step in making your user behavior more secure and less vulnerable to attacks.
Ondrej Krehel, CISSP, CEH, Chief Information Security Officer,
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.