THE discovery of Specter or Meltdown vulnerability in Intel, AMD, and ARM processor chips has set the tone for cybersecurity situation in 2018. Virtually all electronic devices that are built on these chips, the basic design of which apparently dates back to 1995, are rendered vulnerable to exploitation by attackers. The vulnerability can allow attackers to access parts of the processor chips, earlier thought to be inaccessible, to scan for sensitive data. Chip manufacturers and software companies are now in a rush to devise patches aimed at resolving the vulnerability.
Making things worse is the weaponization of anti-virus applications. Years-old speculation is that anti-virus makers are the ones making viruses. But tweaking anti-virus applications to spy on customers puts the concerns on to a higher level.
At the center of the weaponization storm is Kaspersky, a popular anti-virus product. It has been alleged that Kaspersky Lab’s anti-virus solution had been tweaked to allow the conduct of espionage activities in behalf of Russian intelligence services, although no definitive proof has been offered. The allegation also comes on the heels of allegations that Russia had manipulated the results of the US elections.
If it can be done with Kaspersky’s anti-virus application, other anti-virus solutions can similarly be weaponized.
Anti-virus software is designed with privileged access to virtually every resource in a computer, including applications and programs, files, email and the common user interface to the internet, browsers. With the Meltdown, also dubbed Specter, vulnerability, anti-virus software can be tweaked to access stored information in the bare metal of computers and other smart devices to scan for keywords that would lead to sensitive documents.
Anti-virus solutions typically run in the background, scanning incoming files for signs of virus signatures. A file is flagged if the software finds the presence of virus signatures and alerts the computer user. The anti-virus solution also scans for command strings that would appear to be suspect based on its threat detection rules. A file with such a command string is similarly flagged. If the scanning is done during the offline mode, that is, the computer is not connected to the internet, any file found to be infected is kept in archive. As soon as the user connects to the internet, the suspect files are sent to the anti-virus maker’s servers for further evaluation and investigation. If the command strings are confirmed to cause harm, the anti-virus maker then includes the signature in its signature file and issues the updated signature file to all its users.
Anti-virus software makers also update their threat detection rules from time to time. An existing threat detection rule may be altered or a new threat detection rule may be written for spying purposes. The weaponized rules may be introduced, perhaps by an untrustworthy third party who has gained access to an anti-virus maker’s source code.
If anti-virus solution can be weaponized so easily, so too, other security products, including appliances which are used to protect networks. Embedded in these appliances are software which can be weaponized.
The quickening pace of Internet-of-Things ushers in a wider threat surface for attackers to play in. And, with artificial intelligence, new attack techniques can easily be developed.
Even the innocuous component of a computer, the cooling fan, may be used for spying purposes. For example, it has been shown through an experiment that a computer’s cooling fan may be made to act as a transmitter by manipulating its speed pursuant to a weaponized software resulting in a controlled acoustic wave form that can be picked up by another device like a smartphone which has also been compromised to interpret the binary data carried by the acoustic wave form.
Weaponization of software is not something new. In fact, all malware are weaponized software designed to perform attacks on systems. But any application software can also be weaponized. This poses a considerable security challenge.
Cybersecurity professionals and practitioners should carefully study the emerging threat posed by weaponized anti-virus solutions, in particular, and weaponized software, in general. There are standard frameworks and best practices which have been laid down over time. But these frameworks and practices must also evolve as attack methods evolve over time.
Standard reactive defenses may no longer work. Cybersecurity professionals and practitioners should not sit idly by, waiting for anomalous events to happen. Instead, they should proactively look for anomalies yet to be detected. Predictive security measures may be a way forward.
In an increasingly wired business environment, competition is high. Business organizations are forced to be agile and react with the development of specialized applications in order to quickly respond to the highly competitive environment. All too often, rapid development and deployment skips the all-too-important steps required in determining if the application has been developed securely. Close collaboration between cybersecurity professionals and developers is the direction to go. They should take on a more proactive role in the design, development, and/or deployment of applications in the enterprise.
Cybersecurity professionals may also lead the way in developing a culture of security within their organizations. A security culture is in the behavior of each and every member of the organization. It is one that is integrated into the day-to-day operations of an organization where everyone is aware of good security practices and collaborates to ensure that information that go through the business processes are properly secured.