The world is hacked, and it’s users’ fault

I spoke to a large, multinational client the other day that is in the middle of a malicious hacking attack. A large percentage of the company’s workstation computers are compromised. The attackers have access to nearly every server in the global environment. Executive email is being read, confidential data is no longer confidential, and state secrets are no longer secret.

Chinese hackers? We got ’em. Russian hackers? Check! Spearfishing malformed PDFs? Naturally. Socially engineered Trojans all over the place? You betcha! Accounting department’s banking system compromised? Of course — it wouldn’t be a party without it.

Here’s the kicker: In the middle of the call, I actually forgot which client I was talking to — because every company I’ve worked with over the past two years is in the same situation.

[ Juniper and Symantec are investigating widespread cyber espionage that has hit dozens of technology companies. | InfoWorld’s Roger Grimes explains how to stop data leaks in an enlightening 30-minute webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]

Is it because of my job that I’m the only person aware of companies in these types of dire straits? It’s not only large firms — it’s nearly every enterprise I’m aware of. Also, it goes beyond the businesses sector; my city is infected and has been nearly shut down. It’s also hit my friend’s computer — an iMac. It’s the same story with my mom’s computer and my neighbor’s computer. It makes me wonder: Is anybody not exploited?

My (virtual) hat is off to the hackers. They’ve managed to infect and exploit the world, and it doesn’t appear that people care. It’s so bad that this passes for life as usual. It’s like learning to accept Mother Nature’s natural disasters as inevitable — though hackers can be stopped. I keep hoping that everyone will decide to come together in a “We Are the World”-type project to make it more difficult for malicious hackers to flourish on the Internet, but it doesn’t seem likely anytime soon.

But there’s plenty that you and your company can do. The majority of the risk is due to end-users intentionally executing socially engineered Trojans that show up as fake antivirus software, malicious video codecs, fake patches, and needed software drivers. Yes, good patching and strong passwords also help, but Trojan horse programs that your end-users (or friends or family) get tricked into installing are by far the most popular, successful threat.

First, implement an improved end-user education program. Teach end-users about the most frequent threats and how they can be tricked into installing malware. Tell them the bad guys often infect their most trusted Web sites and that there’s no such thing as a trusted Web site. When the unsuspecting user visits the seemingly innocent site, the site will often the prompt the user to install some piece of “necessary” software. They will do so, despite the fact that the he or she has visited the same site a thousand times before without needing the software.

Sometimes the recommended software has some generic executable name (setup.exe, install.exe); sometimes it claims to be a popular app. My advice? Tell end-users to skip the installation unless they really find out they need it.

For example, if a Web site says a users needs to install Adobe Acrobat, Macromedia Flash, or QuickTime to view the content, and the user recognizes and trusts the vendor and product being promoted, the end-user should close the current site and go to the vendor site to download the program. If a user doesn’t recognize the vendor’s name or the product, they should say no. What content can be so vital that you’re willing to risk your identity or finances?

If it seems that a user really does need to install the offered program, have him or her download the promoted content or executable and submit it to one of the many online malware inspection/submission sites. All the big antivirus companies have them, although my independent favorite site is VirusTotal, which submits your transmitted file to more than two dozen antivirus engines. I trust it more than any other automated inspection service. It’s not perfect, but it’s as close as I’ve ever found.

Another precaution: Avoid running browsers and email programs in elevated security contexts. There is rarely a need to run those sorts of programs as Administrator or root. Use Windows User Account Control (UAC) or nix’s Sudo feature where you need it.

Additionally, make sure users’ computers are protected by comprehensive antimalware software, including antivirus, antispam, and antiphishing capabilities. Better yet, ensure users’ browsers are also protected. Antimalware software is far from perfect, but it provides a level of security.

As always, check to see that patches are up to date for all users’ software, including the operating system and browser plug-ins. Just as important, or even more so, make sure users are running the latest versions of the software. Malware tends to less successful on newer versions, and vendors always implement new defense mechanism to defeat old attacks. I even have friends who have moved to 64-bit systems solely to be more resistant to today’s malware attacks. Crazy as that sounds as a way to thwart bad hackers, it does offer more protection than 32-bit systems. Consider it one more reason to go 64-bit if you’re weighing an upgrade.

Rogue PDFs are increasingly becoming responsible for computer compromises, but there are steps you can take to protect user machines. First, run the latest version of their PDF reader. If a user’s PDF reader allows you to disable JavaScript, do so. Although this may disable some PDF functionality, I’ll gladly swap the rarely used feature for peace of mind. (Note: PDF reader updates sometimes reenable the JavaScript functionality, so you may need to disable it again after every update.)

More and more users are starting to use non-Adobe PDF readers, with Foxit Reader being the most popular choice. However, converting your entire user base to new software comes with its own set of trade-offs, and you can never be sure how many of the targeted exploits will or won’t work on the newer software.

Another approach is to have users convert PDFs to other formats using an application such as NitroPDF; alternatively, they can use a service such as Gmail that allows PDF conversions. Although it isn’t guaranteed, the conversion process will often render any embedded maliciousness useless. Personally, I don’t open untrusted or unexpected PDF files.

If you can successfully educate users to not accidentally install malware, you’ll immediately eliminate the biggest risk in your environment. Of course, this is easier said than done. The hackers know this and count on it.

This story, “The world is hacked, and it’s users’ fault,” was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com.