Is that pro mind-set reflected in the exploit patterns?
Well, what I'm seeing is more hackers are now writing their own exploits. In the past, they would just use well-known attacks. Before, whenever there was a new bug, hackers would compete among themselves to see who would be the first to write exploit programs for those bugs and then publish them to Web sites and mailing lists like BugTraq and Full-Disclosure. And then everyone else would go there, download those attack programs and run them blindly.
Today, more people write their own exploits. Why are they able to do it? If you look at the kids graduating from school all over the world, they got interested in hacking when they were, like, 12-year-olds, in the mid-'90s. Over the years, their interests have grown into a skill set that lets them write their own attack programs.
Speaking of new exploits, what do you make of the rising number of bug variants that we've seen this year?
In the past, antivirus vendors would compete with each other to see which would be able to write signatures faster for each new virus that came out. But with Netsky and Bagle, we saw the reverse. Now we have virus writers who compete to see how fast they can update their viruses in response to each new antivirus signature. That's why we see a Netsky a, b, c, d and so on.
But why were hackers suddenly interested in making variants?
Well, with previous virus writers, their goal was to create a virus and see if it could be done. After that, these virus writers were done. There seems to be a change in the psyche among virus writers now. You see this with Netsky and Bagle. There are two teams of people competing with each other. The Netsky people hated the Bagle people, and Bagle people hated the Netsky people. So it was kind of like a feud between them.
So how worried should we be? Are viruses becoming more sophisticated in a hurry?
No. Viruses today are really no more sophisticated than they've been over the last several years. As a matter of fact, Netsky and Bagle are pretty unsophisticated. As security professionals, we know how to create a sophisticated virus. The reality is that hackers that write viruses really aren't all that smart. They focus more on whatever defences they see. They try to do one extra step. And so we rarely see a huge advance in hacking techniques. Rather, we see gradual growth. Most virus writers only try to stay one step ahead. And only one step, not five or 10 steps.
The bread-and-butter defence today remains the firewall. Where does this mature technology go from here?
Firewalls have basically been supplanted by intrusion-prevention systems. In the old days, it was enough just to lock the doors. But these days, we realise that some doors have to be unlocked. And we need to protect against cases when doors aren't locked. It's like a bank. Robbers will come in and rob the bank in the day, when doors are unlocked. The problem is not that you need to find a stronger lock for the front door, because fundamentally you can't lock the front door all the time. You need to let customers in. And that's what firewalls basically are -- doors that are locked.
IPS (intrusion-prevention systems), on the other hand, are able to look for attacks coming in the open doors. IPS and firewalls are probably going to merge soon into one product. But firewall technology, by itself, is done. It already has become a commodity.
Talkback
I found the article with Robert Graham being interviewed on internet security to be both interesting, but also a little annoying. To call these hackers stupid and only thinking of one step beyond the limits set by any type of security is very shallow minded to say the least. Children these days (Not children from the 90's revolution) are fed computer literature and manuals until they cannot see anything but code of all languages, who is to say that these "Kids" cannot, at a tender age write something that could bring down most of the internet with ease and go the extra 5 - 10 steps beyond that Robert Graham says is not possible? If Robert is as narrow minded as this, how many other interent security chief scientists think like this? And it begs the question should they be in the job they are, to under-estimate anyone is silly, to under-estimate the youth of today is VERY stupid indeed!