magnify
Home Gaming Interview with Nick FitzGerald, Emerging Threats Researcher, AVG Technologies and Impulse Gamer
formats

Interview with Nick FitzGerald, Emerging Threats Researcher, AVG Technologies and Impulse Gamer

Interview with Nick FitzGerald, Emerging Threats Researcher, AVG Technologies and Impulse Gamer 

Before working AVG, tell our readers a little about your history? 

I worked in the computer centre at the University of Canterbury, in Christchurch, New Zealand for about ten years as a consultant.  I mainly covered PC support issues and was responsible for overseeing the Help Desk the last couple of years I was there. During this time I became quite interested in computer virus and antivirus issues and belonged to several online discussion groups and mailing lists sharing information on related issues.

1997 to 1999 I was editor of The Virus Bulletin, a UK-based journal that specializes in computer virus and antivirus issues at a fairly technical level.  Reflecting changes in the threat landscape, it now also covers broader malicious software (malware) and spam issues. VB also runs and publishes industry-leading antivirus product tests. 

Between VB and AVG, I worked on contract mainly for the antivirus team at Computer Associates.  

What is the best aspect of working with AVG? 

I mainly work with the LinkScanner team who are great to work with, and include some long-time professional friends.  Oh, and I get to work from home!

 How has the threat landscape changed? 

Recently, not that much, other than the sheer increase in volume of malicious sites.  But they’re mainly doing “more of the same”.  In the slightly longer-term, over the last year or so say, we’ve seen a otable up-tick in the use of social networking sites.  This reflects the obvious popularity of these sites and the bad guys’ recognition of them as increasingly valuable (and lucrative) targets.

What is the biggest threat or “uh-oh” moment in your career working with Internet Security? 

While at VB I commissioned the first detailed analysis of the CIH virus, which initially seemed very interesting for purely “virus geek” reasons.  As a result we were the first to recognize the full scope of its destructive payload — it would “fry” the victim PC’s BIOS making the machine entirely unbootable (leading to its later nickname “Chernobyl”).  We finally uncovered the full effects of this just a few days before one of the trigger dates for this payload.

What are the challenges in this industry? 

The biggest challenge is actually effecting change.  We see the results of the labour of a lot of organized crime groups, their minions and affiliate marketing schemes.  We can generally share a lot of data about these activities with relevant local and international law enforcement agencies and the like.  Much of this activity does not even require new law to criminalize it — for example, fraud is pretty much fraud regardless of whether the action takes place by real world letters and documents, phone calls, email, instant messaging or whatever.  The trouble we commonly run into in trying to bring the culprits to account is the lack of inter-jurisdictional co-operation between law enforcement groups, which often stems from different policing priorities in the different jurisdictions and/or differing evidential requirements.

Are there any downsides? 

If you want a family life, the 24/7 nature of this business may be seen as a downside…

And the frustration of seeing the same thing over and over again.  Well-informed computer security folk are probably the heaviest users of the Santayana phrase “Those who cannot learn from history are doomed to repeat it”, but I often wonder why Marx’ “History repeats itself, first as tragedy, second as farce” is not more widely used in these same circles.

What are your top ten tips for ensuring PC security for our users? 

Aside from the usual advice such as run good antivirus software and keep it updated, enable auto-updating in your operating system to keep it patched, ditto for your applications like Office (MS or Open), Adobe Reader, Shockwave Flash, etc, etc I’ve recently been telling people to always remember the following… 

  • No-one in Africa wants to GIVE anyone their money or gold.

  • Microsoft/Google/a Russian oil magnate/VW/BMW/etc certainly does not want to GIVE anyone money/a car/etc.

  • A stunning Russian blonde DOES NOT want to marry you.

  • You CANNOT win a lottery you did not enter.

  • If it sounds too good to be true, IT IS.

  • A web site, Email message, IM or tweet that tells you you need to install security software IS LYING.

  • Just because it’s in a Google search result or an “ad by Google” does NOT mean it is safe.

  • If the options seem to be “Click OK/Run/Install” or “turn off the computer”, TURN OFF THE COMPUTER.

  • Did your friend REALLY send you that message?  In the age of Facebook, etc can you ever really tell?

  • is your friend really as smart about computer security as you think?  
    A. No   
    B. Not at all   
    C. Well and truly not   
    D. ALL THE ABOVE

In your time in the industry, what are some of the worst stories that you have heard or reported? 

People being scammed by the Nigerian 419’ers deciding to go to Lagos to seal the deal once and for all, getting kidnapped when they arrive and then their family face having to pay the ransom demands.  There are reports of people eventually being murdered in these situations. 

Bots storing pornography, particularly child-porn, on the victim computer and this being found, reported to employers and/or law enforcement.  The PC owner/user is subsequently fired, convicted of child-porn charges and so on, when their only “crime” is not being particularly careful in their use of the computer. 

The Julie Amero case where a substitute teacher was left in charge of a classroom with poorly maintained and secured computers. It transpired that the PCs had spyware or adware installed on them, spawning a stream of pornographic site pop-up ads.  Between the pornographic images being displayed and the existence of the malware being uncovered following expert forensic examination after her initial trial, her life was ruined and arguably she miscarried due to the stress of living through all this. 

Will the internet ever be safe? 

If all the computers are turned off or disconnected from it, then maybe…    -) 

But seriously, security is a process rather than an endpoint.  As computer security guru Spaf [Prof Eugene [Gene] Spafford] once said “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.” [This is often misquoted with titanium and nerve gas featuring — see Spaf’s page on this and other notable quotes of his http://homes.cerias.purdue.edu/~spaf/quotes.html .] 

The point is that “securing your computer” is an exercise in risk management.  What level of risk are you prepared to face?  How much is achieving that (or a better) level worth to you in terms of money, time and effort, possibly reduced ease of use, etc? 

Where do these threats generally originate from? 

There are two main sources of Internet threats at the moment.  First is poorly configured and secured web servers, often due to the use or misuse of popular but badly written “web applications”.  Second is a large user-base that understands neither that they are each system administrators, nor why it matters that they should understand this in the first place.  Both these causes are due to massive over-selling of the notion that popular IT system components are “Internet ready”. 

A third major issue which is beyond the control of typical Internet users is that the mechanisms that, ummmm “govern” the Internet are as laughable as they are ineffective.

Why can’t the government or governments stop them? 

I can only answer this with my personal opinion which almost certainly does not reflect any official position of anyone else… 

Ignorance and protecting mostly little-understood vested interests. 

That is, the main reasons politicians seldom get anything major right first, second or even third time around.  For now, I’m just hoping that they start working on their first attempt…    

Thanks for your time Nick and all the best with AVG 

Cheers!