Please Update Your Browser

by Ben Lorica | @dliman | comments: 7

A research study released last week measures the proportion of web users running the most updated and secure browsers. With drive-by-downloads increasingly popular with malware distributors, web surfing with an older version of a browser is getting riskier. The study is based on data from Google's search and web application server logs over an 18 month period (Jan-07 to Jun-08), with browser versions lifted from the HTTP USER-AGENT header field found in the server logs.

The researchers assumed that "... most updates and patches for existing Web browser technologies (both the core browsing engine and third-party plug-ins) increasingly incorporate new and vital security fixes": so for the purposes of the study the latest version or update of a browser was considered the "secure" version. The share of users running the latest major release varies over time, with Firefox users much more likely to be using the most secure version:

Overall, 45.2% of Internet users were not using the most secure browsers. The results were on the optimistic side since the researchers were unable check for out-of-date and vulnerable browser plug-ins, nor go back in time and adjust for the many zero-day attacks aimed at browsers.

Firefox's auto-update mechanism resulted in most of its users updating to a new version within three days of a new release. Opera's "manual update & download reminder" approach meant it took about eleven days before most of its users updated to a new release. The researchers found that it took 19 months before 53% of IE users updated to IE7, in contrast, 92% of Firefox users were already using version 2. I agree with their recommendation that the other major browsers follow Mozilla's (auto-update) lead:

While Microsoft’s operating system auto-update functionality encompasses the Internet Explorer update mechanism even if the browser is not in use, the fact that patch updates (for both Internet Explorer 6 and 7) are typically only made available on a monthly basis means that updates are released less frequently (when compared to Firefox), which can result in a lower short term patching effectiveness.

Based upon our findings, we strongly recommend that software vendors embrace auto-update mechanisms within their products that are capable of identifying the availability of new patches and installing security updates as quickly and efficiently as possible - ideally enabled by default and causing minimal disruption to the user. We also recommend that these same auto-update mechanisms are capable of alerting the user of any plug-ins currently exposed through the Web browser that have newer and more secure versions available.

They actually go further and envision a "best before" dating system, akin to what the food industry adopted years ago to help consumers evaluate the likelihood of spoilage. I'm not crazy about the analogy (food and Internet browsing safety) but some form of aggressive notification may encourage users to update their browsers quickly.

What I like about this study is that the resulting data-gathering systems should be able to provide regular updates and over time we can monitor how browser users and makers adapt. Other notable comprehensive security studies include Google's automated system for uncovering web-based malware, and RobotGenius' ongoing automated analysis (using multiple commercial scanners and a behavioral AV detector) of every Windows executable available for download. But while good data sources help determine the scope of a problem, in the case of computer security, bridging the cultural divide that exists between web developers and their Black Hat counterparts may prove just as important.

Malware Centers and Offshoring

by Ben Lorica | @dliman | comments: 8

Most studies place China, Brazil, and Russia among the leading sources of conventional and web-based malware. Depending on the type of malware involved, there is a good chance that one of these three countries is among the leading suppliers. Malware from these countries reflect local Internet usage patterns. In Brazil, 75% of regular Internet users access online banking services so Brazilian malware tends to target financial transactions. In China, instant messaging services and online gaming account for several hundred million active users, and close to a billion dollars per year in virtual goods and currencies. Thus malware targeting onling gaming and IM credentials are common in China. Organized crime syndicates in Russia have steered resources towards the theft of credit/bank account numbers, botnets and phishing.

Why is fellow BRIC nation India not a malware center? While cyber laws and their enforcement are important, cyber law enforcement is weak in lots of countries not known for producing malware. The most common response I got from people I queried is that crimeware centers need a steady supply of skilled workers, and the criminal know-how to identify opportunities and evade prosecution. Here are three ingredients that may be crucial to nurturing a malware industry:

1. High-standard of basic education, large supply of technical workers
2. Strong presence of traditional organized crime
3. Widespread poverty and lack of employment opportunities for recent (technical) college graduates

Compared to Brazil and Russia, where organized crime syndicates are involved in the malware industry, the many amateurish Chinese hacker groups maintain public web sites and give interviews to the press. In contrast, the strong presence of organized crime in Brazil and Russia may explain the profit-making focus and relatively low-profile of digital miscreants in those countries. Over the past few years the sphere of influence of Russian criminal groups has slowly widened to include some hacker groups in the rest of the FSU.

Contrary to the common perception that jobs are easy to secure in China, many technical graduates in China face a challenging labor market. A 2005 survey by McKinsey indicated that multinationals were reluctant to hire graduates of second-tier universities in China. Similarly, a 2006 Chinese government study (National Development and Reform Commission) estimated that 60% of that year’s university graduates would be unable to find employment in their preferred fields. The government attributes the reduced quality of many technical education programs to the rapid growth in enrollment.

Unlike its BRIC peers, India has a technology sector that can't seem to get enough workers. Along with the usual focus on law enforcement, strengthening the IT job market in the other BRIC nations would go a long way towards weakening the crimeware industry in those places. You give people good jobs and they are less likely to work for local criminal syndicates. A good reason to not reflexively oppose IT offshoring.