|
Interview with Nick
FitzGerald, Emerging Threats Researcher, AVG Technologies and Impulse Gamer
Before
working AVG, tell our readers a little about your history?
I worked in
the computer centre at the University of Canterbury, in Christchurch, New
Zealand for about ten years as a consultant. I mainly covered PC support issues
and was responsible for overseeing the Help Desk the last couple of years I was
there. During this time I became quite interested in computer virus and
antivirus issues and belonged to several online discussion groups and mailing
lists sharing information on related issues.
1997 to 1999 I
was editor of The Virus Bulletin, a UK-based journal that specializes in
computer virus and antivirus issues at a fairly technical level. Reflecting
changes in the threat landscape, it now also covers broader malicious software
(malware) and spam issues. VB also runs and publishes industry-leading antivirus
product tests.
Between VB and
AVG, I worked on contract mainly for the antivirus team at Computer Associates.
What is the
best aspect of working with AVG?
I mainly work
with the LinkScanner team who are great to work with, and include some long-time
professional friends. Oh, and I get to work from home!
How
has the threat landscape changed?
Recently, not
that much, other than the sheer increase in volume of malicious sites. But
they're mainly doing "more of the same". In the slightly longer-term, over the
last year or so say, we've seen a otable up-tick in the use of social networking
sites. This reflects the obvious popularity of these sites and the bad guys'
recognition of them as increasingly valuable (and lucrative) targets.
What is the
biggest threat or "uh-oh" moment in your career working with Internet Security?
While at VB I
commissioned the first detailed analysis of the CIH virus, which initially
seemed very interesting for purely "virus geek" reasons. As a result we were
the first to recognize the full scope of its destructive payload -- it would
"fry" the victim PC's BIOS making the machine entirely unbootable (leading to
its later nickname "Chernobyl"). We finally uncovered the full effects of this
just a few days before one of the trigger dates for this payload.
What are
the challenges in this industry?
The biggest
challenge is actually effecting change. We see the results of the labour of a
lot of organized crime groups, their minions and affiliate marketing schemes.
We can generally share a lot of data about these activities with relevant local
and international law enforcement agencies and the like. Much of this activity
does not even require new law to criminalize it -- for example, fraud is pretty
much fraud regardless of whether the action takes place by real world letters
and documents, phone calls, email, instant messaging or whatever. The trouble
we commonly run into in trying to bring the culprits to account is the lack of
inter-jurisdictional co-operation between law enforcement groups, which often
stems from different policing priorities in the different jurisdictions and/or
differing evidential requirements.
Are there
any downsides?
If you want a
family life, the 24/7 nature of this business may be seen as a downside...
And the
frustration of seeing the same thing over and over again. Well-informed
computer security folk are probably the heaviest users of the Santayana phrase
"Those who cannot learn from history are doomed to repeat it", but I often
wonder why Marx' "History repeats itself, first as tragedy, second as farce" is
not more widely used in these same circles.
What are
your top ten tips for ensuring PC security for our users?
Aside from the
usual advice such as run good antivirus software and keep it updated, enable
auto-updating in your operating system to keep it patched, ditto for your
applications like Office (MS or Open), Adobe Reader, Shockwave Flash, etc, etc
I've recently been telling people to always remember the following...
-
No-one in
Africa wants to GIVE anyone their money or gold.
-
Microsoft/Google/a Russian oil magnate/VW/BMW/etc certainly does not want to
GIVE anyone money/a car/etc.
-
A stunning
Russian blonde DOES NOT want to marry you.
-
You CANNOT
win a lottery you did not enter.
-
If it
sounds too good to be true, IT IS.
-
A web
site, Email message, IM or tweet that tells you you need to install security
software IS LYING.
-
Just
because it's in a Google search result or an "ad by Google" does NOT mean it
is safe.
-
If the
options seem to be "Click OK/Run/Install" or "turn off the computer", TURN
OFF THE COMPUTER.
-
Did your
friend REALLY send you that message? In the age of Facebook, etc can you
ever really tell?
-
is your
friend really as smart about computer security as you think?
A. No
B. Not at all
C. Well and truly not
D. ALL THE ABOVE
In your
time in the industry, what are some of the worst stories that you have heard or
reported?
People being
scammed by the Nigerian 419'ers deciding to go to Lagos to seal the deal once
and for all, getting kidnapped when they arrive and then their family face
having to pay the ransom demands. There are reports of people eventually being
murdered in these situations.
Bots storing
pornography, particularly child-porn, on the victim computer and this being
found, reported to employers and/or law enforcement. The PC owner/user is
subsequently fired, convicted of child-porn charges and so on, when their only
"crime" is not being particularly careful in their use of the computer.
The Julie
Amero case where a substitute teacher was left in charge of a classroom with
poorly maintained and secured computers. It transpired that the PCs had spyware
or adware installed on them, spawning a stream of pornographic site pop-up ads.
Between the pornographic images being displayed and the existence of the malware
being uncovered following expert forensic examination after her initial trial,
her life was ruined and arguably she miscarried due to the stress of living
through all this.
Will the
internet ever be safe?
If all the
computers are turned off or disconnected from it, then maybe... -)
But seriously,
security is a process rather than an endpoint. As computer security guru Spaf
[Prof Eugene [Gene] Spafford] once said "The only truly secure system is one
that is powered off, cast in a block of concrete and sealed in a lead-lined room
with armed guards - and even then I have my doubts." [This is often misquoted
with titanium and nerve gas featuring -- see Spaf's page on this and other
notable quotes of his
http://homes.cerias.purdue.edu/~spaf/quotes.html .]
The point is
that "securing your computer" is an exercise in risk management. What level of
risk are you prepared to face? How much is achieving that (or a better) level
worth to you in terms of money, time and effort, possibly reduced ease of use,
etc?
Where do
these threats generally originate from?
There are two
main sources of Internet threats at the moment. First is poorly configured and
secured web servers, often due to the use or misuse of popular but badly written
"web applications". Second is a large user-base that understands neither that
they are each system administrators, nor why it matters that they should
understand this in the first place. Both these causes are due to massive
over-selling of the notion that popular IT system components are "Internet
ready".
A third major
issue which is beyond the control of typical Internet users is that the
mechanisms that, ummmm "govern" the Internet are as laughable as they are
ineffective.
Why can't
the government or governments stop them?
I can only
answer this with my personal opinion which almost certainly does not reflect any
official position of anyone else...
Ignorance and
protecting mostly little-understood vested interests.
That is, the
main reasons politicians seldom get anything major right first, second or even
third time around. For now, I'm just hoping that they start working on their
first attempt...
Thanks for
your time Nick and all the best with AVG
Cheers!
|
