Webroot CTO Gerhard Eschelbeck: The New Malware Generation
"People need to realize there are security implications attached to [VoIP] as well, and I think that probably was one of the topics of the conference where a number of people raised the issue of security on Voice over IP, what do we need to do, what can we do, what are some of the risks of moving to a Voice over IP infrastructure from a security perspective?" said Webroot CTO Gerhard Eschelbeck.
Aug 14, 2007 4:00 AM PT
Virtualization rootkits, Web application security and Voice over IP (VoIP) attack vectors topped Gerhard Eschelbeck's list of the top three biggest issues at this month's Black Hat USA conference, held Aug. 1 and 2 in Las Vegas.
Eschelbeck is chief technical officer and senior vice president of security vendor Webroot Software. Shortly after the event, the company updated its corporate anti-malware protection product, Anti-Spyware Corporate Edition With AntiVirus v. 3.5, which uses a combination of signature-based, behavioral and heuristic detection methods to protect networks of varying sizes.
TechNewsWorld spoke with Eschelbeck at Black Hat about his views on the latest threats to network security.
TechNewsWorld: What is the value of hackers and security professionals coming together at a conference like Black Hat?
Gerhard Eschelbeck: Black Hat has been a very successful conference for many years. Since I've been attending, I think it has grown five times its size, mostly as a reflection of security becoming a mainstream topic for IT professionals.
I think part of the real value that I see in the conference is that people on the security research side are sharing and mingling together with the practitioners out in the real world who are doing day-to-day operations of sometimes mission-critical systems. I think this information-sharing across those two groups gives us a tremendous amount of value for the overall distribution of knowledge and the sharing of knowledge.
Black Hat always has been one of those conferences where typically leading-edge type technologies are being presented and talked about, and therefore it's of great value to IT managers, IT administrators and practitioners to learn about these things firsthand so that they can apply this knowledge to their environment.
TechNewsWorld: What were some of the biggest and most important topics you noticed at the conference?
Eschelbeck: From my perspective, looking at this year's conference, there were probably three main themes that I took away from the conference.
The first and probably most notable one was the whole topic around virtualization. Virtualization of applications -- virtualization of operating systems -- is a really hot topic in the industry as a means of consolidating data, saving energy. Virtualization techniques are clearly on the rise; a lot of people are either using them or considering to use them moving forward.
And there's a new class: a new generation of malware specifically designed to target virtualized environments there. And there's a constant cat-and-mouse game in this space right now of is it detectable or is it not detectable? There is on the one side the ones trying to write the undetectable ones, and on the other side the ones who are trying to detect it. I think this is probably going to be a key and significant topic for the next year or two or three to come. Today, this is mostly laboratory malware, but I would not be surprised to see in the next year some real-world proliferation of malware in that particular space.
TechNewsWorld: There was a briefing at Black Hat called, "Don't Tell Joanna, the Virtualized Rootkit Is Dead," which asserted that virtual rootkits will always be detectable. Do you agree with the findings of that?
Eschelbeck: As I said before, the cat-and-mouse game is on, so while I think there are ways now to detect virtualization, there is no clear evidence that you can actually detect a bad virtualization from a good virtualization. So I wouldn't necessarily call it a success for the bad guys here. I would probably call it that the race is on and continues. I don't think we've arrive at the point where we've solved the puzzle yet.
Another very important topic at this year's conference was Voice over IP. Voice over IP clearly is technology that's spreading widely these days. Organizations are jumping on this -- mostly because it's a tremendous improvement over the existing technology infrastructure that you have for the networks, and other benefits and advantages.
People need to realize there are security implications attached to it as well, and I think that probably was one of the topics of the conference where a number of people raised the issue of security on Voice over IP: What do we need to do, what can we do, what are some of the risks of moving to a Voice over IP infrastructure from a security perspective? Overall, they're extremely important topics for the industry to keep in mind over the next years as Voice over IP becomes a replacement for today's phone infrastructure that we have in place.
TechNewsWorld: Do the risks involved in VoIP technology just have to do with eavesdropping on conversations, or do you see hackers perhaps using VoIP systems as a doorway to access even more data -- beyond what's just being said in the conversation over the phone?
Eschelbeck: There's a variety of potential attack vectors that you can think about in the Voice over IP environment, from the very basics of just listening to the conversation. You can have the Voice over IP use traffic over existing packet networks. You can think about all the attacks that we have been seeing in the data class today that's certainly very applicable to the voice class moving forward -- things like redirections, where you essentially think about redirecting perhaps a call center. Instead of calling the company ABC that you wanted to call, you suddenly call somewhere else, because someone in the back of the line redirected the call center Voice over IP traffic to another location there. Those are some of the attack vectors that exist in the data network world today and have been seen here before, and are certainly going to be applicable as well to the voice world.
Then there's all the other aspects as well -- things like how it's much easier to automate and create voice mail spam, for example. We think about how difficult it is to detect regular e-mail spam today -- just think about how difficult it's going to be to detect voice mail spam with voice analysis and all the stuff that's necessary there as well.
I think there's a multitude of new challenges for security, not just limited to listening to phone conversations. There's going to be a multitude of other security-related issues attached to Voice over IP.
TechNewsWorld: What's the third main topic you took out of Black Hat?
There is a security penalty related to that as well, and I think this was a big part of this discussion around what is the impact of some of these new, next-generation Web applications, particularly Ajax-based Web applications. In terms of security, what does that mean for the user who is browsing to such a Web site? In terms of malware distribution, is this going to be a new vector for distributing malware to the user? And also from a service side, a provider perspective, what is the impact to the service provider? Is a security risk attached to that -- so that somebody could easily break into the Web server and potentially position malware on the server, so that future users of the Web site could potentially get infected by browsing on this Web site?
TechNewsWorld: Social engineering was also addressed at the conference. An IT staff can do everything in its power to secure the network with technology, but it also depends on the rest of the staff to stay in a security-focused mindset. Is there anything you feel that can be done to better train a firm's non-technical personnel to keep security in mind as the go about their day-to-day work?
Eschelbeck: I think the social engineering aspect has been around since the early days -- we've always seen those e-mails to provide information on the Web. Social engineering is not going to be solvable with technical means. There's clearly a continuous need and challenge to educate and train an organization's employees.
Some companies have started putting very dedicated training programs in place when new employees are starting, about the use of computers on the networks -- what are some of the dos and the don'ts. There are also some very respected training institutes in the industry whose focus is to essentially train users for safe usage and safe computing.
To use a very simple example, just the fact that there are so many people today infected with spyware on their computer is in a big way a social engineering aspect. You might think browsing the Internet is a safe experience. But if you browse into some of the bad sides of the Internet, there's an inherent risk, and I think an educational part will certainly help here to some extent keeping users out of danger zones.