It used to be easy to be in the security industry. All you had to do is develop products that needed to say “nay” or “yay” on a given content and “bless” it to be secure or not. That is so 2007… As we have been witnessing during a turbulent 2008 (and yes – it actually started in 2007…) nowadays the ability to decide whether a given content (note the distinction between content and file…) is malicious or not is much more complicated. Let’s take a look at some of the elements that used to help us how to walk down the decision tree of security software logic:
- Source. If the content came from a website that’s up to no good (catering for hacker forums, storing malicious files, and even hosted in a foreign country – or with a less than appropriate top level domain such as .cn or .ru), security software used to be able to say “nay”. The content was immediately deemed too suspicious even to start handling, and the whole transaction would be blocked. Back to the present – we see most of the malicious content and attacks come from .com sites, hosted in the US, and most likely on a legitimate site that started attacking its users one day.
- Looks. Web based threats used to be a relief for security scanning software – no need to decompile or work in a low-level language – everything is plaintext, and it is easy to figure out what a piece of code is trying to do just by “looking” at it and finding all these bad calls that make a piece of JavaScript malicious. Reality – enter obfuscation. Most (if not all) malicious code seen nowadays on the web is obfuscated to a level where a standard language driven algorithm would just shoot itself. The vast capabilities endowed on browsers these days, make it very easy to hide malicious code in a scrambled (almost encrypted mode) and dynamic fashion, such that standard security software won’t be able to see it.
- Distinction. Back in the day, if something looked suspicious, it was blocked. Reality – legitimate and malicious content are intertwined and exist in the same context of most modern web attacks. It’s hard to just say “nay” to a page full of legitimate content when it has a few pieces of malicious content. Security software has to play the news editor role these days and cut out parts of the web so that it can be safe again. Simply blocking sites and pages do not work, especially when (as noted above) most of the attacks come from legitimate sites who’s content still needs to be served to the client.
I’m not writing this to paint a grim picture – on the opposite, we are facing a new era, an era of innovation, of change (I knew someone said that before me so I’ll just ride on the wave of success), and of better security. This new reality will move us as a community and as an industry to new realms, where we no longer have to answer simple-minded yes/no questions. Welcome to the era of empowerment, of providing all the new tools, technologies and content to whoever wants them – securely. No longer are the days of “no facebook at work”, welcome the days of “facebook at work is great – but no messaging, chat or game applications between 9 and 5.” Welcome to an era where all websites are treated equally, and access is “always on,” but we’ll work to keep the bad parts out.
Welcome to the change. I know that we are not the only ones embracing it – so get ready for it!
-Iftach Ian Amit
Director, Security Research, Aladdin