As volunteer director of the SANS Institutes Internet Storm Center, Marcus Sachs has an eagle-eyed view of Internet security, tracking cyber-threats in real time and raising awareness when malicious hackers launch attacks.
Sachs also directs the Washington operations of the Cyber Security Research and Development Center, which is operated by SRI Internationals Computer Science Laboratory under a contract with the U.S. Department of Homeland Security.
On a typical day at the ISC, Sachs and a group of about 40 volunteers keep watch over about 500,000 different IP addresses to look for signs of malicious activity. In addition, the ISC incident handlers collect data from third-party sources and maintain the popular daily handlers diary of the biggest security issues of the day.
In this interview with Ziff Davis Internet News, Sachs talks about his work at the ISC, the changing face of network worms and virus attacks, his Web browser, of course, and the general state of Internet security.
Its been almost a year since Microsoft Corp. shipped XP Service Pack 2 to counter the big network worms. Are we any safer today?
I think we are, I really do. If you look at the numbers, there is a reduction in the traditional types of attacks. We havent seen a big worm since Sasser more than a year ago, so, in that sense, SP2 has served the purpose. But thats not to say the Internet has become safe, because the threats have shifted dramatically.
Were still seeing nonstop activity around e-mail viruses and Trojans and botnet zombies…
Thats the shift Im talking about. The attacks have moved from being a hacker wanting to prove a point by creating chaos, to one where he is out to make money. Thats why phishing is such a big problem.
The malware writers are looking to steal identities and credit card data. They are using their skills to make money from illegal activity. Theyre no longer going after typical attack mechanisms that are more along the lines of a nuisance. Now, its a subversive, organized scheme. Its about making money from the Internet rather than harassing the Internet.
It has always been changing over the years. In the mid- to late 1990s, the big threat was Web site defacements. Then it moved to the e-mail viruses and then to the self-replicating worm. A few years ago, we had all the big worms coming one after the other, but we havent seen one in over a year.
In the last 18 to 24 months, the big swing has been toward tricking people into giving up their credit card information. Were seeing massive intrusions into meeting points where the financial world comes together. Large containers of intellectual property are being breached.
Have we seen the last of the big, nuisance-related network worm?
I dont know that you can say that. Its hard to predict what the underground will do. Its not a stretch to imagine that a newcomer will still want to make his name with a nuisance worm, but I think the wave has crested in terms of types of worms weve seen.
There really is no value in it for the bad guys. They are not about putting all the effort into writing malicious code without real profit. It seems to me that the trend now is for malware writers to code for profit, and thats why were dealing with things like drive-by spyware installs and zombie botnets.
Most of defenses in the past 10 years have improved to cope with nuisance-type attacks. Now, we have to broaden our thinking. We cant just shift cycles, or theyll shift and stay ahead of us. If we start to think like attackers, start looking ahead to the places they will potentially target, we stand a better chance of protecting ourselves.
How severe is the botnet threat?
Its very legitimate, particularly in the last six months. But it was something we expected, once the cable companies got into the broadband ISP business. Until a few years ago, a high-speed connection was a 56K modem. Now, all the cable companies are stumbling over each other to get Internet bundled with TV service, and that becomes a very lucrative target to communicate with with botnets.
There you have this large pipe, and at the end of the pipe sits this computer thats lightly defended. Its the perfect condition for a forest fire, and thats why were seeing all these Trojans opening back doors. The concept of zombie armies isnt new, but whats new is the way its now associated with making money.
Does Microsoft Do Enough
to Protect Users?”>
We are dealing with very skilled people who know their way around anti-virus defenses. We are seeing botnets used to set up virtual DNS (Domain Name System) servers and were seeing things like cache-poisoning attacks. The mischievous script kiddie has now morphed into a guy with the technical smarts to find weak defenses. And hes looking to profit from it.
The majority of these attacks target Windows users. Has Microsoft done enough to protect its customers?
I have to say, SP2 with the firewall turned on by default has changed things for the better.
A lot of credit has to be given to Microsoft for the work they did on that service pack. Theres no doubt in my mind that theyre taking security very seriously, from the executives down to the programmers.
They take a lot of flak, but we have to remember that Microsoft is made up of people and people make mistakes. You cant expect 100 percent security from a software product, its just not going to happen.
There are a lot of security issues in Linux too, but Microsofts problems are amplified because Windows is the dominant operating system. A problem on Linux wont be as readily apparent because the user base there isnt as big. You can say the same for Apple.
Microsofts recent track record around security has been impressive. Can they do more, sure. Its easy to sit in an armchair and take a potshot at them, but you have to give them credit for SP2 and the improvements around responding to incidents. Theyre also working on a new browser to address the threats there, so, overall, Id say they understand what were up against.
Whats the default Web browser on your computer?
I use Firefox, primarily because of security. When Im browsing the Web, my personal trust is higher with Firefox than with Internet Explorer. I also recommend Firefox to friends and family, but thats not to say Firefox is perfect. Part of staying safe is keeping your software updated. Thats always my recommendation: Use the most updated version of Firefox.
Would you consider switching back to Internet Explorer if the security improvements in IE 7 are significant?
Id have to test to see what the improvements are, first. It would depend on what they do to address the bigger threats like code-execution attacks. I believe they will do a good job, but I wont know until I see it.
Cell phone viruses: real threat or hype?
Theoretically, its a real threat. The proof-of-concepts are out there, and theyre capable of doing malicious things. Whether it will actually manifest itself as a real-world threat is a hard call.
Personally, I dont think it will be a big deal, because there isnt one dominant operating system on the mobile side. That in itself is a very good defense mechanism. I think well see it evolve as more and more smart phones start carrying sensitive data, but in the short to medium term, its only a low-level threat.