The Antivirus Era Is Over - UNM 2020
The Antivirus Era Is Over - UNM 2020
The Antivirus Era Is Over - UNM 2020
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
6/12/12 <strong>The</strong> <strong>Antivirus</strong> <strong>Era</strong> <strong>Is</strong> <strong>Over</strong> ‑ Technology Review<br />
Published by MIT<br />
English en Español auf Deutsch in Italiano Ì 5 em Português<br />
HOME COMPUTING WEB COMMUNICATIONS ENERGY BIOMEDICINE BUSINESS VIEWS VIDEO EVENTS MAGAZINE<br />
C O M P U T I N G<br />
<strong>The</strong> <strong>Antivirus</strong> <strong>Era</strong> <strong>Is</strong> <strong>Over</strong><br />
Conventional security software is powerless against sophisticated attacks like<br />
Flame, but alternative approaches are only just getting started.<br />
MONDAY, JUNE 11, 2012 BY TOM SIMONITE<br />
Audio »<br />
Veer | PixelEmbargo<br />
READ MORE »<br />
Two weeks ago today, computer security labs in Iran, Russia, and Hungary announced the<br />
discovery of Flame, "the most complex malware ever found," according to Hungary's CrySyS<br />
Lab.<br />
For at least two years, Flame has been copying documents and recording audio, keystrokes,<br />
network traffic, and Skype calls, and taking screenshots from infected computers. That<br />
information was passed along to one of several commandandcontrol servers operated by its<br />
creators. In all that time, no security software raised the alarm.<br />
Flame is just the latest in a series of incidents that suggest that conventional antivirus software<br />
is an outmoded way of protecting computers against malware. "Flame was a failure for the<br />
antivirus industry," Mikko Hypponen, the founder and chief research officer of antivirus firm F<br />
Secure, wrote last week. "We really should have been able to do better. But we didn't. We were<br />
out of our league, in our own game."<br />
<strong>The</strong> programs that are the lynchpin of computer security for businesses, governments, and<br />
consumers alike operate like the antivirus software on consumer PCs. Threats are detected by<br />
comparing the code of software programs and their activity against a database of "signatures"<br />
for known malware. Security companies such as FSecure and McAfee constantly research<br />
reports of new malware and update their lists of signatures accordingly. <strong>The</strong> result is supposed<br />
to be an impenetrable wall that keeps the bad guys out.<br />
www.technologyreview.com/news/428166/the‑antivirus‑era‑is‑over/<br />
MORE IN COMPUTING<br />
Stay Connected<br />
Twitter<br />
YouTube<br />
Facebook<br />
StumbleUpon<br />
Newsletters Mobile Apps RSS Feeds<br />
Want Technology Review magazine delivered to<br />
your doorstep, desktop, or tablet?<br />
Order now »<br />
Technology Review Lists<br />
Use <strong>The</strong>ir App, Keep Your Data<br />
Technologies Innovators Companies<br />
TR10<br />
Read more »<br />
search<br />
Our list of the 10 most innovative<br />
technologies of 2012. See list »<br />
UltraEfficient Solar<br />
Under the right<br />
circumstances, solar cells<br />
from Semprius could<br />
produce power more<br />
cheaply than fossil fuels.<br />
Explore our TR10 List: previous next<br />
Sponsored Content<br />
TECHNOLOGIES FROM NATIONAL<br />
INSTRUMENTS<br />
Welcome back, cirra<br />
1/5
6/12/12 <strong>The</strong> <strong>Antivirus</strong> <strong>Era</strong> <strong>Is</strong> <strong>Over</strong> ‑ Technology Review<br />
However, in recent years, highprofile attacks on not just the Iranian government but also the<br />
U.S. government have taken place using<br />
software that, like Flame, was able to waltz<br />
straight past signaturebased software. Many<br />
technically sophisticated U.S. companies—<br />
including Google and the computer security<br />
firm RSA—have been targeted in similar<br />
ways, albeit with less expensive malware, for<br />
their corporate secrets. Smaller companies<br />
are also routinely compromised, experts say.<br />
Some experts and companies now say it's<br />
time to demote antivirusstyle protection. "It's<br />
still an integral part [of malware defense], but<br />
it's not going to be the only thing," says<br />
Nicolas Christin, a researcher at Carnegie Mellon University. "We need to move away from<br />
trying to build Maginot lines that look bulletproof but are actually easy to get around."<br />
Both Christin and several leading security startups are working on new defense strategies to<br />
make attacks more difficult, and even enable those who are targeted to fight back.<br />
"<strong>The</strong> industry has been wrong to focus on the tools of the attackers, the exploits, which are<br />
very changeable," says Dmitri Alperovitch, chief technology officer and cofounder of<br />
CrowdStrike, a startup in California founded by veterans of the antivirus industry that has<br />
received $26 million in investment funding. "We need to focus on the shooter, not the gun—the<br />
tactics, the human parts of the operation, are the least scalable."<br />
CrowdStrike isn't ready to go public with details of its technology, but Alperovitch says the<br />
company plans to offer a kind of intelligent warning system that can spot even completely novel<br />
attacks and trace their origins.<br />
This type of approach is possible, says Alperovitch, because, although an attacker could easily<br />
tweak the code of a virus like Flame to evade antivirus scanners once more, he or she would<br />
still have the same goal: to access and extract valuable data. <strong>The</strong> company says its<br />
technology will rest on "big data," possibly meaning it will analyze large amounts of data related<br />
to many traces of activity on a customer's system to figure out which could be from an<br />
infiltrator.<br />
Christin, of Carnegie Mellon, who has recently been investigating the economic motivations and<br />
business models of cyber attackers, says that makes sense. "<strong>The</strong> human costs of these<br />
sophisticated attacks are the one of the largest," he says. Foiling an attack is no longer a<br />
matter of neutralizing a chunk of code from a lone genius, but of defeating skilled groups of<br />
people. "You need experts in their field that can also collaborate with others, and they are rare,"<br />
says Christin. Defense software that can close off the most common tactics makes it even<br />
harder for attackers, he says.<br />
Other companies have begun talking in similar terms. "It goes back to that '80s law<br />
enforcement slogan: 'Crime doesn't pay,' " says Sumit Agarwal, a cofounder of Shape Security,<br />
another startup in California that recently came out of stealth mode. <strong>The</strong> company has $6<br />
million in funding from exGoogle CEO Eric Schmidt, among others. Agarwal's company is also<br />
keeping quiet about its technology, but it aims to raise the cost of a cyber assault relative to the<br />
economic payoff, thus making it not worth the trouble to carry out.<br />
A company with a similar approach is Mykonos Software, which developed technology that<br />
helps protect websites by wasting hackers' time to skew the economics of an attack. Mykonos<br />
was bought by networking company Juniper earlier this year.<br />
<strong>Antivirus</strong> companies have been quick to point out that Flame was no ordinary computer virus. It<br />
came from the wellresourced world of international espionage. But such cyberweapons cause<br />
collateral damage (the Stuxnet worm targeted at the Iranian nuclear program actually infected<br />
an estimated 100,000 computers), and features of their designs are being adopted by criminals<br />
and lessresourced groups.<br />
"Never have so many billions of dollars of defense technology flowed into the public domain,"<br />
says Agarwal of Shape Security. While the U.S. military goes to extreme lengths to prevent<br />
www.technologyreview.com/news/428166/the‑antivirus‑era‑is‑over/<br />
Triggering<br />
Learn how to configure a start trigger on a<br />
USB data acquisition device<br />
> Click here for more National Instruments Videos <<br />
Whitepaper<br />
How To Measure Voltage<br />
Voltage is the difference of electrical potential<br />
between two points of an electrical or electronic<br />
circuit, expressed in volts. It measures the<br />
potential energy of an electric field to cause an<br />
electric current in an electrical conductor.<br />
Most measurement devices can measure<br />
voltage. Two common voltage measurements<br />
are direct current (DC) and alternating current<br />
(AC).<br />
Learn the fundamentals of creating an AC or<br />
DC voltage measurement system. See how to<br />
properly connect the signals to your data<br />
acquisition system for accurate acquisition.<br />
This document is part of the HowTo Guide for<br />
Most Common Measurements centralized<br />
resource portal.<br />
View full PDF > Listen to story ><br />
Find us on<br />
2/5
6/12/12 <strong>The</strong> <strong>Antivirus</strong> <strong>Era</strong> <strong>Is</strong> <strong>Over</strong> ‑ Technology Review<br />
aircraft or submarines from falling into the hands of others, military malware such as Flame or<br />
Stuxnet is out there for anyone to inspect, he says.<br />
Agarwal and Alperovitch of CrowdStrike both say the result is a new class of malware being<br />
used against U.S. companies of all sizes. Alperovitch claims to know of relatively small law<br />
firms being attacked by larger competitors, and green technology companies with less than 100<br />
employees having secrets targeted.<br />
Alperovitch says his company will enable victims to fight back, within the bounds of the law, by<br />
also identifying the source of attacks. "Hacking back would be illegal, but there are measures<br />
you can take against people benefiting from your data that raise the business costs of the<br />
attackers," he says. Those include asking the government to raise a case with the World Trade<br />
Organization, or going public with what happened to shame perpetrators of industrial<br />
espionage, he says.<br />
Research by Christin and other academics has shown that chokepoints do exist that could<br />
allow relatively simple legal action to neutralize cybercrime operations. Christin and colleagues<br />
looked into scams that manipulate search results to promote illicit pharmacies and concluded<br />
that most could be stopped by clamping down on just a handful of services that redirect visitors<br />
from one Web page to another. And researchers at the University of California, San Diego,<br />
showed last year that income from most of the world's spam passes through just three banks.<br />
"<strong>The</strong> most effective intervention against spam would be to shut down those banks, or introduce<br />
new regulation," says Christin. "<strong>The</strong>se complex systems often have concentrated points on<br />
which you can focus and make it very expensive to carry out these attacks."<br />
But Agarwal warns that even retribution within the law can be illjudged: "Imagine you're a large<br />
company and accidentally swim into the path of the Russian mafia. You can stir up a larger<br />
problem than you intended."<br />
RELATED ARTICLES<br />
Apple Charts a New<br />
Course on Mobile<br />
Maps<br />
At its annual conference,<br />
Apple announced it will<br />
move away from Google<br />
with its own mapping<br />
app, along with new Mac<br />
and mobile software.<br />
Send 135 people<br />
recommend<br />
Use <strong>The</strong>ir App, Keep<br />
Your Data<br />
A modified version of<br />
Android feeds datasnooping<br />
apps fake<br />
bookmarks and empty<br />
contact lists.<br />
TAGS ANTIVIRUS SOFTWARE COMPUTER SECURITY GOOGLE<br />
4 comments 186 people listening<br />
cirra<br />
www.technologyreview.com/news/428166/the‑antivirus‑era‑is‑over/<br />
Translation Tools<br />
Could Save Less<br />
Used Languages<br />
Languages that aren't<br />
used online risk being left<br />
behind. New translation<br />
technology from Google<br />
and Microsoft could help<br />
them catch up.<br />
3/5
6/12/12 <strong>The</strong> <strong>Antivirus</strong> <strong>Era</strong> <strong>Is</strong> <strong>Over</strong> ‑ Technology Review<br />
Privacy<br />
Terms of Use<br />
Sitemap<br />
+ Follow conversation<br />
Sort: Newest | Oldest<br />
About Technology Review<br />
Advertise with Us<br />
Work for Us<br />
Events<br />
Contact Us<br />
Post to<br />
www.technologyreview.com/news/428166/the‑antivirus‑era‑is‑over/<br />
Get the Magazine<br />
Manage Subscriptions<br />
Reprints and Permissions<br />
Customer Service<br />
Feedback<br />
Post comment<br />
vnedovic<br />
Great article until the very last paragraph. <strong>The</strong>se people are smart enough not to use such<br />
stupid stereotypes. At the level of complexity discussed, every party is dangerous, regardless<br />
of its roots. <strong>The</strong> four legstwo legs reasoning in such cases sounds rather like propaganda than<br />
an argument.<br />
6 HOURS AGO<br />
Like<br />
Reply<br />
wctopp<br />
wonder how the stolen info makes it from the target computer back to the server collecting the<br />
info w/o someone spotting a permanently open i.p. link (direct or otherwise) between the two.<br />
even if it's intermittent and randomly so, over time it's persistently there. over a day my<br />
computer connects with thousands or tens of thousands of i.p. addresses but day to day only<br />
a few are always there and they're predictable (my preferred DNS, google, reuters etc.)<br />
9 HOURS AGO<br />
Like<br />
R Sweeney<br />
How sweet, Obama destroys the entire world of the internet for a chance to delay Iran and<br />
pretend he isn't doing it.<br />
17 HOURS AGO<br />
Like<br />
Reply<br />
Reply<br />
jonfingas<br />
R Sweeney <strong>The</strong> Stuxnet program (and quite possibly Flame, based on code<br />
age) was started under Bush Jr., not the current president. Obama's decision was,<br />
once he was told it had 'escaped,' to either close up shop or double down (the option<br />
he picked). If you have to blame him for something, blame him for that, although he<br />
was worried that <strong>Is</strong>rael would get antsy and launch a realworld attack if it didn't think<br />
malware was keeping Iran at bay (remember, they struck Iraq's Osirak reactor in the<br />
1980s). It's hard to say if he was being overly servile to <strong>Is</strong>rael or heading off<br />
disaster. Goodness knows there's a lot of Republicans that would gleefully start a<br />
military invasion first and question the wisdom of it later.<br />
8 HOURS AGO<br />
Like<br />
Reply<br />
Stay Connected<br />
Twitter YouTubeFacebook StumbleUpon<br />
Newsletters<br />
Mobile Apps<br />
RSS Feeds<br />
Take a 2 or 5 Day Executive<br />
Development Program or<br />
earn a professional<br />
certificate<br />
VISIT EXECUTIVE.MIT.EDU<br />
4/5
6/12/12 <strong>The</strong> <strong>Antivirus</strong> <strong>Era</strong> <strong>Is</strong> <strong>Over</strong> ‑ Technology Review<br />
www.technologyreview.com/news/428166/the‑antivirus‑era‑is‑over/<br />
5/5