Malware and other cyber threats, many of which are state sponsored, are growing
The wild, wild Web grows ever wilder, and U.S. companies and critical infrastructure remain vulnerable targets, executives from cybersecurity giant McAfee warned Wednesday.
Sixty million malware programs are written annually now, up from 3 million in 2007, McAfee president Dave DeWalt told a conference that included government information technology specialists.
Cyber malefactors are using that malware and other methods to target vital infrastructure, the military, corporate intellectual property and personal identities, McAfee officials said.
Attacks are aimed at virtually anything attached to the Internet -- computer networks, smartphones and other mobile devices, servers, industrial controllers, and even automobiles, some of which are essentially rolling Wi-Fi hot spots, DeWalt said. Other targets include automated teller machines, printers, medical devices and a multitude of other electronic equipment.
The cyber onslaught comes from other nations as well as from organized crime and independent actors, DeWalt said.
At least 20 nations have built cyber vulnerability research laboratories and armed themselves with the ability to carry out cyberattacks, he said. They include nations in Asia, the Middle East, Eastern Europe and Western Europe, DeWalt said, but he declined to name individual countries.
"Countries are investing in a way we've never seen before," and increasingly there is evidence of attacks by foreign governments to steal intellectual property from U.S. companies, he said. "For many years we've seen government on government espionage," but now "there's government on commercial. It's a different landscape."
The statistics collected through McAfee surveys are stunning. One in four consumers has been a victim of digital identity theft, DeWalt said. Increasingly clever spear phishing attacks use personal information, often gleaned from the Internet, to deliver malware embedded in emails that appear to be from friends or bosses.
Keystroke loggers installed unwittingly from infected thumb drives, emails and websites collect passwords that give thieves access to bank accounts and valuable corporate secrets. Root kits -- the building blocks for developing malware -- are readily available for sale on the Internet, he said.
Enterprising attackers hand out "candy drops" -- free, but infected, thumb drives, DVDs and other computer peripherals to unsuspecting computer users, who plug them in, inadvertently providing an entryway to otherwise secure networks. In elaborate candy drops, free laptop computers loaded with malware have been delivered to government offices in West Virginia, Vermont and Wyoming.
The cost of the laptop is "peanuts" compared to the value of the information that may be retrieved through them, said George Kurtz, McAfee's worldwide technology chief.
And even when cyber thieves and spies break into networks and fail to find valuable information, they still profit by selling access to those network, he said.
McAfee is developing new defenses against the growing threat, DeWalt said. This summer the company plans to begin offering technology that will reside deeper in a computer's stack of operating software to hunt for malware that has made its way into the operating system or what's known as the BIOS, the basic input/output system. Current antivirus software resides at the application level and does not dig deep enough to protect the OS or BIOS, DeWalt said.
The company also is promoting white listing as a substantial new defense. White listing lets computers access only websites and networks that are preapproved and known to be safe. It is much safer than its opposite, blacklisting, which blocks computers only from sites that are known to be dangerous, DeWalt said.
To determine which sites are safe, McAfee has developed software crawlers that search the Internet and assess whether websites are safe or dangerous, he said.