How Internet Criminals Will Evade Vista's Safeguards May 5, 2007 How Internet Criminals Will Evade Vista's Safeguards
The new version of Windows is more secure, but it won't end Web attacks, experts say. Erik Larkin, PC World Friday, May 04, 2007 3:00 PM PDT Think malware will fade away with Vista? Sorry. There's about as much chance of the thriving throngs of online criminals packing up shop as there is of Microsoft doing the same. "Malware technology will evolve just like a business," says Vlad Gorelik, chief technology officer of Sana Security. "There are definitely improved protections [in Vista] with permissions control and things like that, but that type of protection could be overcome by malware." Some malware can already do its nefarious work under Vista, while others will need only minor changes. Fake alerts and other social engineering tricks already in use will become more sophisticated and more common as methods for evading Vista's defenses. You'll also likely see more Web-based threats able to steal data passing through any browser, and malware may hide more often in seemingly innocuous installation programs. These threats and others will find a way around Vista's defenses as long as there's a buck to be made--but you can act to protect yourself. According to Gorelik, Microsoft's efforts to allow legacy XP software to run on Vista means that many varieties of malware can easily make the jump along with legit programs. Some won't need to change at all; Gorelik says that out of a few hundred malware samples his company regularly works with on XP, about 30 percent ran happily under Vista without any modifications. For those attack apps that might be blocked from installing surreptitiously by Vista's User Access Control , for instance, expect social engineering to play an ever greater role. UAC attempts to limit malware's reach into the system by denying malware automatic permission to change important system files. If a user or a program tries to make sensitive changes, a pop-up will appear that requires the user to okay the move. Attackers will employ social engineering tricks to get around that defense, or even to co-opt it. Social engineering already exists in many forms--as in (to take just one example) the never-ending flood of e-mails that purport to be from your Web mail provider, asking you to open an attached file explaining your password change. Symantec recently posted a warning about another, particularly well-crafted social engineering attack that appears as a Windows activation window. Trust No One The counter to social engineering is, of course, to stay sharp. More than ever, you should automatically distrust any unexpected e-mail attachment, even if it appears to come from a trusted friend or a site you do business with. The same goes for links in e-mail--if you're in the habit of always using a bookmark or typing in the URL to access your accounts, you'll be safe if and when an e-mail comes along that's good enough to trick you. But social engineering won't stop with e-mail. Both Gorelik and Joe Stewart, a senior security researcher with SecureWorks, expect social engineering to expand with attacks that purposely pop-up a seemingly normal UAC prompt--but if you ok it, you'll give malware a free pass to infect your computer. These faked pop-ups could work, Stewart says, because people "have to make the right decision about what they're going to run every time. It just takes one thing to get through and disable UAC." Installers to Evade UAC? Gorelik also expects Internet fraudsters to take advantage of what many experts are calling a UAC design flaw. The Vista feature allows only two options for installation programs--block them entirely or give them free reign on your PC. There's no middle ground, such as giving a program only those permissions needed to install. So if you can trick the user into performing an installation, Gorelik says, you can make an end-run around UAC. Attackers already try to bury malware in otherwise benign downloaded programs, and the practice may increase in response to Vista's protections. Those who regularly peer into the dark side of the Internet also warn that we can expect to see more Web-based threats that can work despite Vista's Protected Mode for Internet Explorer 7. Protected Mode is a smart approach that limits the ability of IE--or an attack that takes over the browser--to expand into the rest of the operating system, even beyond the limitations imposed by UAC. But many Web-based attacks that use malicious JavaScript to perform phishing attacks and potentially steal data from online accounts (as in a faked eBay auction ) can work even in Protected Mode. The attacks don't need to access system files, but only to steal the data that passes through the browser. Such attacks are both more limited and more powerful than malware that installs a file on a computer. For example, an attack that uses poisoned JavaScript hidden on a Web site to steal data can often hit a range of browsers across a range of operating systems, but it fades away when you close your browser. Protect Your Passwords Gorelik warns that the risk from password-stealing attacks is also magnified by many people's habit of re-using the same account name and password for numerous sites and services. An online thief who steals that info for your Gmail account, for instance, knows that the same credentials might work on a bank site. And while we can't be expected to remember strong, unique passwords for all of our online financial accounts, excellent free tools such as Stanford's Password Hash can take care of that for you. In the face of burgeoning online crime, Microsoft moved in the right direction with its additional Vista security features. The added protections should help--but they won't end malware. "I don't see the malware world changing all that much," says SecureWork's Stewart. "The ones that are out there making making money out of malware will make some adjustments to their code, and then it will be business as usual." Some of the site's most popular content creators can start earning revenue from videos they post. http://www.pcworld.com/article/id,131581-pg,1/article.html Vikas Kapoor, MSN ID: [EMAIL PROTECTED] Yahoo ID: [EMAIL PROTECTED] Skype ID: dl_vikas Mobile: (+91) 9891098137. To unsubscribe send a message to [EMAIL PROTECTED] with the subject unsubscribe. To change your subscription to digest mode or make any other changes, please visit the list home page at http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in
