Complete Transcript of Interview - Randy Abrams - ESET
on Let’s Talk Computers, Host Alan Ashendorf
July 19 2008
Alan: You’ve just downloaded and installed one of the new browsers on your computer system. And since this is a new browser and it supposed to be more secure than ever, do we still need to have anti-threat software? Our guest today is Randy Abrams, Director of Technical Education with ESET. Welcome back to Let’s Talk Computers, Randy.
Randy: Thank you Alan. It’s always great to be here.
Alan: We have all seen the ads, “If you download these new browsers, they are supposed to protect us better on the Internet.” They are supposed to go to websites that we are not supposed to be going to. Just recently we saw a major release of Firefox 3 and it claims to be far more secure than Internet Explorer. But, isn’t this giving us just a false of security?
Randy: Well, it’s not exactly true that Firefox doesn’t have any vulnerabilities. They have had their share of patches, too. And in fact, I use both Firefox and Internet Explorer. When I want to be more secure online, I use Internet Explorer, because it’s a lot easier to configure it to give me a lot more choice in what I let run. For general surfing, I think right now Firefox has a very slight advantage.
Software, alone does not make you safe online. You have to educate yourself. That’s part of the process of computer security – is making wise decisions and your browser just can’t do that for you.
Alan: Well, Virus Bulletin did a poll of people who think that browsers, themselves keep you safe on the Internet. It was astounding the results that they got back. People using Firefox 3, Internet Explorer 8, the new Opera 9.5 – they think that the browser, itself is capable of keeping you safe. That’s surprising, isn’t it?
Randy: It is. It shows how much work we have to do in terms of computer security education. Because the browser itself does very little to protect an uneducated user against phishing attacks, for example.
Now, browsers can help identify potential phishing sites, but some users will overwrite that protection. I just saw a demonstration of Internet Explorer 8 and they will make it a lot more clearly in this new version when you’ve gone to a suspected phishing site; but they already do a pretty good job on that.
However, these sites come up so quickly that you are always in reactive mode and if you get to a brand new one before it’s been reported and don’t know better, your browser can’t help you at all. The browser is part of a layer of security. It’s like saying, “Will a seatbelt make you safe in a car?”
Alan: Taking the analogy of a bank robber – your typical bank robber is going to be stopped by a big safe or a new combination lock or some kind of dead lock. But, a professional bank robber is not going to think twice about that, are they?
Randy: Correct. They will go into the bank and know what they need to do to defeat the security to start with.
Alan: And it’s the same thing with virus protection because there are big bucks behind this, isn’t there?
Randy: Oh, yeah – huge - and so the bad guys are actually testing the antivirus software and the highly professional ones don’t release their new creations until they know that they beat either all of the antivirus products or enough to make it worth their while.
In many cases they don’t have to beat every antivirus product. All they have to do is beat the ones that have, say, 70-80% of the market share to make it worth a profit. And then, the ones they don’t get, well it wasn’t worth the investment.
Alan: And it’s not just releasing a virus where we used to see where all viruses of that same nature were exactly the same. These change and just morph on the fly, don’t they?
Randy: They actually are programmed to change themselves, in some cases, every 5 minutes. That’s what we see with the Stormworm. The Stormworm is on a server that gets called for downloads and people go to different specific sites. Every five minutes it’s programmed to automatically make some changes to beat your signature-based detection.
Alan: Well, I know it’s true that the new browsers are more tightly written to eliminate the possibility of their hacking into the browser or taking over your identification and your security, etc. But, this does not keep you safe at all, does it?
Randy: No, not at all. Because the browser has to let you enter confidential information and that’s how you are able to bank online. So, there’s no way that the browser, right now anyway can tell if every site you go is legitimate.
Now, they can tell in many cases that a site is not legitimate, because they have seen them before. Some software can make educated guesses to help protect you. But the browser itself cannot insure your safety. The browser does nothing at all to protect your against attacks where you open something in an email or attacks where you go to a website and it’s a legitimate website and go to download something but what the browser didn’t know is that someone had hacked into that legitimate website. Instead of downloading a good program you are downloading malicious software. The browser is supposed to let you download stuff from trusted sites.
Alan: And it's totally a legitimate site that you go to day after day and someone has hacked into that site and now they put what they call a “drive-by download,” where you don’t even realize you are downloading something.
Randy: Actually, to some extent, browsers can help protect against some drive-by downloads, but only if they are configured to be restrictive. That means that you lose some degree of functionality, which probably is a good thing in the long term. But right now people are not ready to accept losing some of the pretty pictures and animations they have come to enjoy.
Alan: Well, I know at the PC User Group when we have new members in, we always ask them what kind of browser they use; what kind of security they use and so many of the new users do not realize there are security settings in their browser and if they are not set right, it’s like just leaving your doors open when you go on vacation.
Randy: Exactly and I was kind of dismayed just yesterday to find that when I went to download a form from the Internal Revenue Service that Acrobat prompted me, (because it was a PDF), and said, “This form has JavaScript. You’ve got JavaScript disabled. Do you want to let it run?” Well, I have JavaScript disabled in Acrobat, because I don’t think that I need to have JavaScript running a PDF file. If it needs to run that’s not the PDF I want. So, most people don’t even know that they can turn off JavaScript in Acrobat. They don’t even know it’s there.
Alan: Well, most people don’t even realize that there is a possibility of putting JavaScript inside of a PDF file because they think it’s a “read only” type file and all you’re going to be doing is seeing things on the screen or printing it to the printer.
Randy: It used to be that way, but drive to compete with Microsoft Word and the drive for extended functionality has changed the game so that now your PDFs are now longer a perfectly safe platform. And in fact, we have seen several instances now where PDF files have had exploits built into them. It’s not the PDF itself with the bug in it. It’s that the reader software has a bug at times.
What that means is you can download a specially and maliciously crafted PDF file and it will cause software to run on your computer that should not run on your computer.
Alan: There’s no way that the browser can tell that that’s a bad PDF file. That’s where your ESET Smart Security comes into effect – especially with your heuristics. You have to take a look at it at the point that it’s going to be launching that malicious attack.
Randy: Exactly – the browser knows nothing of malformed PDF files. The browser generally knows nothing about picture files that are created incorrectly or when there’s a buffer overflow present in the software that actually displays the picture. That’s usually outside of the browser and the browser’s not going to protect your from that.
I don’t want people to get the wrong idea. Using the latest browser will help to improve your security, but it doesn’t make you secure alone. Just like getting car that has anti-lock brakes will help your stop more safely, but it doesn’t replace the seat belt; it doesn’t replace the air bags; it doesn’t replace having good safe tires on your car. Its just part of the security solution.
Alan: Well, you really need a multi-tier approach, don’t you?
Randy: Right. We call that, “defense in depth.” What that means is that you use multiple layers of defense. Every one has heard the term, “last line of defense.” You generally don’t want to get to your last line of defense. You want to have something left over in case there’s a problem so that you can deal with it.
Well, having a good safe browser is one part of your defense; but if that’s your only defense – if that’s your last line of defense, then you’ve got a single point of failure and that’s a real problem.
Alan: You need to set your browser security to “high” and make sure that you only have trusted sites in your “trusted site” locations, otherwise you’re just leaving the door open, aren’t you?
Randy: That’s true and it’s been a challenge to try to teach people how this is done. The difficult challenge and I think where the industry really needs to go towards not requiring the kind of scripting and active content that they currently do.
The fact is that people in general are not going to set their security to a high level because then they have to worry about which site is OK to give more access to. Those people that are paranoid or really care a lot about their security and are willing to go through the steps are rewarded with a much more secure computing experience.
But that’s one of the challenges I face in convincing people that it’s a good idea to learn a bit more about your security settings in your browser and learn how to set them for maximum security.
Alan: That’s where you need to have reliable anti-threat software like the award-winning NOD32 or your ESET Smart Security, don’t you?
Randy: Anti-virus software, especially one like ESET NOD32 Antivirus that has the heuristics to help identify things that we have never seen before are part of your defense in depth. They help protect you when things like a browser can’t, because a browser can’t protect you from everything. They will help protect your against, in some cases phishing attacks and a variety of other threats that no browser is equipped to deal with because that isn’t their job; it’s not what they were designed to do.
Alan: You mentioned that, “more people need to be educated about how to use their browser and how to be safe.” We live in the real world and most people when they go to the Internet are going to click on buttons. As long as they can open up their email and go to websites and browse around that’s all they want to do. They don’t want to understand how a computer works.
Randy: Yes. It’s definitely a challenge and I think that fundamentally what has got to happen is teachers, (people are studying to be teachers in college) need to become educated on computer security. As they go out into the field and start teaching our elementary school children and our high school and college students, that’s where the security is going to have to come from. That’s where you can still reach the people and get them to understand it and make passing the course dependant upon their getting this.
It’s going to be a long, drawn-out process to get to where we really need to be for computer security. But, that doesn’t mean that a dedicated individual, today can’t quickly learn some tips that will help make them much more secure.
Alan: It’s interesting – we have to have a driver’s license in order to get out on the road and drive, but we don’t have to have any kind of license or any kind of training to get onto the Internet. But if somebody ends up using our computer as a botnet or our identity gets stolen, you know, we’re not responsible are we?
Randy: It depends on whether you use the credit card or a debit card and it depends upon your bank. There are a lot of variables there. But no, pretty much because of the vast amount of money that’s involved in online banking, online commerce, the banks have wanted to make it so that it’s invisible to you how much money you are spending for fraud.
Because you might think, “Well, if my credit card gets stolen I’m protected; and it’s the bank that eats it; it’s not going to cost me anything.” But, I will tell you what, the way the world works, the bank isn’t going to eat it. The bank is going to make sure that you pay for it in some way. Now, it might be that you pay for in higher interest rates; it might be that you pay for it in higher banking fees.
Why do you think it costs $2 to use a cash machine? It costs the bank a lot less money for you to use a cash machine than to go see a teller. But, that’s one place that the bank can make up the losses. It isn’t fee for the consumers to lose money. It’s just hidden from them as to how they are paying for it.
Alan: There is no “free lunch,“ when you get on the Internet. You need to be secure.
If somebody would like to find more information about your award-winning ESET NOD32 Antivirus and ESET Smart Security, where would they go?
Randy: They can go to http://www.eset.com/ and if they have specific security questions they can do one of two things: They can email them into you and they can also email me at askeset@eset.com.
Alan: I know you have tons of tips and techniques for keeping safe on your website, don’t you?
Randy: We have Podcasts; we have a Blog that three of us are contributing to. There are multiple resources for people to learn more about computer security.
Alan: It’s all about education. The more educated we are about how to be safe on the Internet the more enjoyable our experience is going to be. Randy, as always, it’s been a pleasure to have you as our guest here on Let’s Talk Computers, talking about how to stay safe on the Internet. We look forward to talking to you again, next time.
Randy: Thank you Alan. I look forward to being back.
