The New York Times has described in detail how it was hacked by a group looking for data on Chinese dissidents and Tibetan activists. The attack was investigated by security company Mandiant.
Note the following:
Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.
Apparently the initial attack method was simple: emails with malicious links or attachments.
Symantec made an unconvincing defence of its products in a statement quoted by The Register:
Advanced attacks like the ones the New York Times described … underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behaviour-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.
Could the New York Times hack have been prevented by switching on more Symantec features? Count me as sceptical; in fact, it would not surprise me if these additional features were on anyway.
Anti-malware solutions based on detecting suspicious behaviour do not work. The task is too difficult, balancing inconvenience, performance, and limited knowledge of what really is or is not suspicious. Further, dialogs presented to non-technical users are mystifying and whether or not the right response is made is a matter of chance.
This does not mean that secure computing, or at least more secure computing, is impossible. A Windows desktop can be locked-down using whitelisting technology and limited user permissions, at the expense of inconvenience if you need to run something not on the whitelist. In addition, users can avoid most attacks without the need of any anti-virus software, by careful avoidance of malicious links and attachments, and untrustworthy websites.
Aside: it is utterly stupid that Windows 8 ships with a new mail client which does not allow you to delete emails without previewing them or to see the real destination of an URL in the body of an email.
This kind of locked-down client is available in another guise though. Tablets such as those running iOS, Android or Windows RT (mail client aside) are designed to be resistant to attack, since apps are sandboxed and normally can only be installed via a trusted app store. Although users can bypass this restriction, for example by enabling developer permissions, this is not such a problem in a corporate deployment. The users most at risk are probably those least likely to make the effort to bypass corporate policies.
Note that in this context a Windows 8 Professional tablet such as Surface Pro is just another desktop and no more secure.
Another approach is to stop believing that the endpoint – the user’s device – can ever be secured. Lock down the server side instead, and take steps to protect just that little piece of functionality the client needs to access the critical data and server applications.
The key message though is this. Anti-virus software is ineffective. It is not completely useless, but can be counter-productive if users believe that because they have security software installed, they are safe from malware. This has never been true, and despite the maturity of the security software industry, remains untrue.
New types of client devices hold more promise as a route to safer personal computing.
Actually, this is a good reason to use Linux:
Linux never puts the current directory in your executable path.
A nonroot user can infect only the files that user has write access to (ie in the user’s home directory).
Linux forces you to manually mark files as executable via chmod +ux.
I’m puzzled that Windows 8 Pro is still susceptible?
I thought all WinRT apps were supposed to be sandboxed, so Win 8 Pro should be just as protected as Win 8 RT, as long as you not running a WinRT e-mail client.
Granted, the fact its full blown Windows means there is a much higher chance you will be using a classic Windows e-mail client. But it will still seem to indicate that Windows 8 Pro has at least some benefits over Windows 7, if you use it right.
@Josh: Your second point is true of any modern multiuser operating system — not just Linux. Of course, this ony applies if there is no privilege escalation attack.
Your first and third points assume this attack was carried out through .EXE files. The vector could just as well have been a PDF file or a Java JAR.
In that case, the executable would be the PDF reader, say, which is already in your path and already has the executable bit turned on. It then becomes a simple matter to drop the payload and make it executable.
—
The bottom line is that the New York Times was targeted by a sophisticated operation that was willing to expend considerable resources. They dropped customized malware, and ran it through virus-checkers first to make sure it wouldn’t get flagged. (Well, 44 of them, anyway. Someone slipped up on the 45th.)
This is not the usual numbers game. In a targeted attack, you can no longer depend on the security provided by using an unpopular platform.
—
@Alex: Yes, Windows 8 is safer if you run just the Metro apps, and never touch the desktop. The problem is that people will use the desktop — and they will get infected via the desktop.
Safer? Yes, maybe, a little. As safe as Windows RT? Not even close.
Seriously, Symantec has certainly the worst security software in the world ! I worked with two companies which relay on Symantec product for security, and each time it has proven to be a piece of junk: slow to update (for example: one time we’ve got a malware attack, Symantec needed 6 days to have an update ready, McAffee two days ! The administrators used the McAffee malware cleaner to clean the server :D), many false alarm, etc.