Anti-antivirus users and the risks they pose

The many computer and mobile device users who refrain from protecting themselves with anti-virus software are not just setting themselves up for a fall, according to Sergey Novikov, one of the top virus experts in Kaspersky Lab.

“They are the risks for others, since one of the primary activities of hackers today is to round up computers and devices of home users into botnets they can use to mount major attacks against institutions like banks,” Novikov warned.

The chairman of Kaspersky Lab, Eugene Kaspersky, has been on top of some of the most destructive computer viruses in recent years, including Stuxnet and Flame.

Most hackers don’t aim to cripple society by taking control of electric and water systems, Novikov said, but are simply out to skim a buck. “Ninety percent of all malware and attacks are aimed at financial systems, 8-9% are for espionage purposes, and just 1% is for cyber-terror.” Hackers are too busy making money for themselves to assist radical groups with their expertise, and those who acquire the skill sets to successfully hack into online accounts are far more likely to be doing so for profit than for a cause.

But that doesn’t make them any less dangerous, said Novikov in an interview. Novikov, along with other Kaspersky top staff, were in Israel to introduce a new product from the company, an antivirus suite that allows installation of the same program on PCs, laptops and handheld devices.

The primary challenge is convincing users of the importance of installing antivirus software, Novikov said, as “hackers, like everyone else, follow the line of least resistance.”

Direct attacks on banks and financial institutions are harder than they used to be because many of them are well-protected. It’s far easier to get access to a user’s bank account — and from there to a bank’s servers — with a piece of malware that will copy credit card and account information, said Novikov, using a “social engineering” type of email message, like a note purportedly from a credit card company that requires users to log into a website.

Of course, such emails tend to be suspicious-looking, rife with misspellings and asking for information that is irrelevant to the transaction at hand. But most people don’t think twice and readily click on the link that will install malware such as a keylogger, which is programmed to pay special attention to Internet shopping sites where users will be inserting credit card information.

“It’s getting riskier to attack larger organizations,” said Novikov. “Sometimes the low risk attack on individuals are preferable to an attack on a big institution. If they can’t get financial information out of their victim, or even if they do, they will enroll their victims in a botnet, a hacker-organized network that uses a distributed method to attack better-defended sites by mass-attacking them with passwords issued by the tens of thousands of computers in a botnet, or using them to conduct a DDOS (denial of service) attack, in which thousands of connection requests are made of a server each second, with the objective being to make it impossible for that server to perform.

Novikov isn’t the only one who has noticed the change. In an interview, a top executive of Protiviti, which advises companies on their security risks, said that customers are the biggest risk factors for banks’ cybersecurity.

“As the Internet has continued to evolve, it is part of our everyday activities, and we work with some companies along the lines of whether or not to permit social networking — and social networking is an incubator for social engineering, which is one of the tactics that are applied when malware comes into the space,” said Rocco Grillo, managing director of Protiviti’s technology risk practice. “I think it goes back to the end user again going to a lot of these sites that appear to be legitimate, but at the end of the day may have a link that takes it to a third party that will lead to some type of malware attack.”

What can be done to stop neglectful individual users from being the Achilles heel of the security business?

“In my opinion, it’s impossible to legislate Internet safety,” Novikov said. “People want their devices and never think anything untoward is going to happen to them. You can’t police everybody without turning a society into a police state.”

With that, he said, “it would be nice if service providers, especially in the mobile area where are now seeing a lot more malware activity, would step up and take responsibility.” Typically, service providers deflect the issue of security onto the consumer, claiming that their only job is to supply connection technology.

The most effective option, he said, would be embarking on a major educational program to ensure that everyone is aware of the dangers in the cyber-world and what could happen if they fail to protect themselves.

“We should be teaching this to kids, even from the earliest grades,” Novikov said. “Just like people are taught that they need to wash their hands to prevent disease, they should also be taught how to maintain a cyber-defense as they engage with the Internet, for society’s sake, and their own.”