Then the Internet happened, the browser became the dominant application, and websites emerged as a major means of distributing what became known more generically as ‘malware’. Malware included old-fashioned viruses, but also mass-distribution worms, Trojans (a major new class of program), and a cluster of applications designated as ‘spyware’.

Suddenly, the threat wasn’t just good coding it was bad coding too, with the industrialisation of malware that could exploit software vulnerabilities in the OS, in apps, and especially in browsers and browser plug-ins.

Paid-for AV products found themselves doing a lot more work at a lot more layers of the software stack, and diversified into today’s suites that do everything imaginable, including encryption, firewalling, backup, spam filtering, browser trace deletion, parental control, IM and P2P control, web, file and app monitoring, and all before old-style hard disk scanning is even mentioned.

The problem for security companies is that many pieces of this security jigsaw are at least partially done by free programs, starting with browsers, now secured using layers of settings and URL checking. A reasonable two-way firewall comes with Windows 7 (Vista’s is one-way), and of course the basic AV is handled by free utilities that many users swear by.

The fascinating thing about ‘free’ is how much users get without having to reach for the credit card. But how much is really enough security and which features does the average user need and perhaps not need?

The firewall

Firewalling is a complex issue, and in principle will de done by a gateway device such as a wireless router. In truth these are often complex to configure and understand, leaving most users relying on a desktop firewall that monitors traffic in and out of a PC. Windows 7 ships with a perfectly serviceable one included and the numerous free choices are also excellent to the extent that it’s hard to see why anyone would pay for one.

Frankly, we wouldn’t see a huge point in using a third-party firewall-only product unless you’re still using Windows XP, in which case look to ZoneAlarm or Comodo (which includes optional antivirus), both of which are easy to use, and do what they say on the tin. Whichever product, watch out that is doesn’t hit CPU. And that the Windows version is turned off before installation.

Patching

This tends to be an ignored aspect of security. Windows performs its own update once a month at least, as will individual programs, but out-of-date software, unpatched against known security issues is still a major problem, especially on systems that are not used every day.

A number of free programs exist to examine applications for out-of-date versions, perhaps the best of which is Secunia’s Personal Software Inspector (PSI).

Browser plug-ins

Browser security is much improved but still far from infallible, which is why plug-ins have appeared to address specific problems. There are hundreds of these, nay thousands, and each one s specific to a different browser.

Noscript (Firefox)

Noscript is a Firefox extension that stops Javascript (a major target for security flaws) from running without permission, blocking exploits such as clickjacking and XSS; whitelisting feature lets the user select named sites that can run scripts. Can be a bit intrusive but worth it for the security-conscious.

Trusteer Rapport

Installs in all major browsers and verifies using a small green icon that a website is genuine using built-in lists or those added by the user. For partners sites – banks say – it can also encrypt the keyboard to website communication for secure login, though only small number of sites are covered for this. Even when not using this feature, is a useful and non-intrusive shield against website spoofing.

LastPass

An absolute must and by far the best browser-based secure password store out there. As well as acting as a database of web-based passwords (and a replacement to having them stored insecurely by browsers), it automates logins, stores form data, and has plenty of control over how to treat different sites in a more or less automated way. Can be access from anywhere by any PC using a single master password.

The free antivirus scanner

A basic malware scanner downloads signature files every day which it uses to perform retrospective scans of hard disks for bad files at defined intervals. It will also offer some level of realtime protection against the incursions of rogue software and spam attachments, often by complementing browser security settings. It will also usually monitor for dodgy URLs, though again this is done by browsers and, with lesser reliability, by search engines themselves.

Microsoft Security Essentials

Microsoft dabbled with paid-for security then threw in the towel and came up with this free gem only last year. It has garnered good scores in tests (that is about the same as paid-for products for basic antivirus scanning), uses little in the way of resources, and is extremely simple to configure and use. Basic, yes, but not cut-down in terms of the core features which are file scanning, realtime process monitoring. Will scan inside archives and removable drives, but use in conjunction with browser security add-ons because it does not monitor URLs or watch what’s coming in via email. No frills.

AVG Antivirus Free Edition

The granddad of free, AVG is probably the most popular unpaid antivirus program going. Very similar to the Microsoft product with the addition of an optional browser link-scanner and the ability to create a rescue disk. Not as light on resources as Security Essentials but still more than capable.

Panda Cloud Antivirus (PAV)

A bit of an untested option at present but a curious one. Panda runs in small footprint ideal perhaps for netbook users, thanks its makers claim to its part-signature, part cloud-based intelligence.
It has a lot of features free programs tend to lack. It scans email (inbound and outbound attachments), IM and web browsing, claims to block rogue scripts, and protects against vulnerabilities (although which ones will obviously depend on the remote database), all of which are launched in an on-demand way. It also has an optional firewall and can create a rescue disk.

If Panda Cloud has a problem it is lack of feedback and no scheduled scanning which might bother some. Apart from the occasional update request, it’s barely noticeable, even when browsing websites other programs would take issue with. It did, however, prove its worth against one fairly common Trojan, while the beta version suffered a single false positive.

Conclusion

The best antivirus program from these for light use of resources is Microsoft Security Essentials, the best for features-at-no-cost undoubtedly Panda Cloud Antivirus. The cloud client-server model is an interesting direction others will surely follow in the near future. How does Panda offer a free product tied to an expensive datacentre? Presumably, the malware it detects through the consumer products help it improve the paid-for business version.

More widely, it is clear that stumping up £30-£50 ($47-$70) for a full suite is not necessarily the best option for users even if they are happy to throw money at the security problem. The suite will do everything – a good recent example is Kaspersky’s Pure which includes encryption, backup and parental control – but not necessarily as well as separate programs. Suites tend to be more complex, more resource-heavy, and inevitably elements of each are mediocre.

Any one of these and other free antivirus programs (BitDefender, Avast!, ESET) will do a perfectly good job when complemented with a secure password database, judicious use of encryption, and browser controls.

I am generally one of the first to point out that the security risks associated with the Windows operating system are often exaggerated, or at least that the relative threat level is a function of market share, and that if Linux or Mac OS X had 90 percent market share those systems would be at least as vulnerable, and at least as targeted by malicious attack as Windows is now. That said, saying that Linux is five times more likely to distribute spam than Windows seemed like skewed math for the sake of sensationalism.

I checked with other malware security experts to gather some additional insight on the issue of Linux as a purveyor of spam. What I found was a consensus regarding the root cause behind the metrics, and ultimately that Linux may, in fact, be an inordinate source of spam messages.

Tyler Reguly, lead research engineer for nCircle, told me “I actually find the report rather odd, and also question their methods for remote fingerprinting. If they were using passive fingerprinting on mail coming into their server, they wouldn’t necessarily have an accurate fingerprint of the host sending the mail. They could instead be fingerprinting a mail server with an open relay, or an ISP “smarthost”. They also acknowledged that much of the Linux attributed spam could be coming from direct marketing emails… these would most likely be mailed out through a proper mail server (which is quite likely to be running Linux).”

A security researcher from FireEye emailed to say “We wouldn’t be surprised if these Linux boxes just have TCP port 25 open and are being abused as open SMTP relays. The malware is doing this to hide the locations of the infected (Windows) machine. Modern malware is designed to maintain long term control over systems since the primary cost of building these malware infrastructures is the time and energy needed to “acquire” infected systems.”

Andrew Brandt, lead threat research analyst at Webroot, also found the report potentially suspect “The Spam Index feature in the report appears to overemphasise a problem which may have little to do with any inherent issue or vulnerability with a particular operating system. The spam index seems odd with no context; we don’t know whether there’s any kind of active infection on a machine running a particular operating system.”

“This is not good for any company, especially for a company dealing with security,” acknowledged Roel Schouwenberg, a senior antivirus researcher at Kaspersky, in a conference call last week. “This should not have happened.”

The company had revamped the U.S. support site and relaunched it on Jan. 28. From that point until Feb. 7, the support database was open to attack, Schouwenberg said. The revamped site has now been replaced by the old version.

In a blog post, the hackers claimed that they were able to access a customer database that held e-mail addresses and software-activation codes by launching a SQL injection attack.

Schouwenberg confirmed that the database was hacked via SQL injection, but he contended that only the database’s table labels were accessed, not the customer data. However, the e-mail addresses of about 2,500 customers and some 25,000 activation codes were at risk, he noted.

Schouwenberg said the hack was made possible by a combination of vulnerable code crafted by an unnamed third-party vendor and poor code review by Kaspersky.

Kaspersky hired Next Generation Security Software Ltd.’s David Litchfield, an expert on SQL injection attacks, to audit the systems. His report, delivered Feb. 12, confirmed Kaspersky’s findings.

An unidentified hacker reported over the weekend that he was able to access a complete profile of the company’s databases, revealing its clients’ names, activation codes, list of bugs the company tracks and client email addresses.

The hacker claimed to have hacked Kaspersky Labs’s databases using an SQL injection attack, which exploits a vulnerability in an application’s database layer.

The method has become a popular means to gain information via web-facing applications or as a way to use popular websites to spread malicious software.

Microsoft’s UK website came under a similar attack in 2007 when hackers used an SQL injection to inject HTML code which seemingly defaced its web pages.

The Kaspersky hacker, who published their finding on the Hackersblog.org website, has since said that confidential data would not be released.

“[The] Kaspersky team doesn’t need to worry about us spreading their confidential stuff. Our staff will never save or keep any confidential data. We just point our fingers to big websites with security problems,” they reported.
Kaspersky Labs has admitted that a subsection of its usa.kaspersky.com domain was vulnerable last Saturday when a hacker “attempted an attack on the site”.

“The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn’t critical and no data was compromised from the site,” a spokesperson for the company said in a statement.

Commenting on questions about the recent argument between his company and Microsoft over Vista application programming interfaces (APIs), Ilias Chantzos, Symantec’s government relations manager for EMEA, said that the two organisations would co-operate in SafeCode in order to benefit customers.

“We have a multi-faced relationship with Microsoft and we are keen to work with them. That will ultimately benefit our customers. I see this relationship as complimentary rather than competitive,” Chantzos said.

Last year, security companies, including Symantec and McAfee, complained that Microsoft had locked them out of the Windows kernel. The security vendors claimed that a kernel shield developed by Microsoft, called “PatchGuard” and intended to stop hackers attacking 64-bit versions of Vista, blocked their security products too.

Microsoft eventually agreed to provide security companies with access to the 64-bit APIs but didn’t actually provide access until two months after it had officially relented.

Microsoft had long maintained that a complete lock on the kernel would provide the best operating-system security and stability, but it made concessions in response to antitrust concerns raised by officials in Europe and Korea.

SafeCode is being headed up by cybersecurity expert Paul Kurtz, who was one of the founding members of the Cyber Security Industry Alliance (CSIA) and a former White House National Security Council and Homeland Security Council member under Presidents Bush and Clinton.

Kurtz claimed that the organisation is the first global industry-led body aimed at the development and delivery of more secure and reliable hardware software and services.

“Where are the best practices? Everyone talks about them, but how do you find them? SafeCode is going to bring those best practices into one place so that government, consumers and businesses can make best use of them,” said Kurtz.

Kurtz added that SafeCode will be assembling an advisory group of government leaders and critical infrastructure operators from around the world to help with its mission.

The organisation will be funded via a $50,000 (ÂŁ24,000) membership fee levied on each of the members, Kurtz added.

“We want to be seen as an organisation that government and industry can turn to and say: ‘Can you help us with this?’,” said Kurtz.

Dave DeWalt, McAfee president and chief executive officer, said today that the acquisition will help to make e-commerce safer.

“Consumers are expected to spend nearly $160 billion dollars this year on products and services online, providing personal credit card information to e-commerce websites, many of which have traditionally been under-protected,” he said in a news release.

ScanAlert, best known for its Hacker Safe certification, has a customer list that includes the American Red Cross, Guess, Petco, Toshiba and Warner Brothers.

ScanAlert will be integrated into the Santa Clara, Calif.-based anti-virus vendor’s Web Security Group, and will be led cooperatively by Ken Leonard, ScanAlert chief executive officer, and Tim Dowling, a McAfee vice president.

“The mission of the Web Security Group is to bring transparency to the web so that consumers can distinguish between the safe neighborhoods and the dark alleys,” said Dowling. “We already know from numerous studies that consumer confidence is eroding, and as a result, tens of millions of dollars are left unspent online.”

A McAfee representative could not immediately be reached for comment.

John Pescatore, Gartner vice president and senior fellow, told SCMagazineUS.com today that McAfee has been unpredictable in its acquisitions of smaller companies.

“The only common thing its done is acquire relatively small companies,” he said. “They’re not doing the Symantec thing of buying the large security companies.”

Even when the Trojan is unable to wipe all files, it may still remove Windows files, which could stop all the programs installed on the machine functioning, PandaLabs warned.

“This is a very peculiar Trojan,” said Luis Corrons, technical director of PandaLabs. “Not only does it delete computer files, it does everything necessary to make it impossible to stop its actions. In cases like this, it is important to prevent the infection, which makes proactive protection techniques, capable of detecting unknown threats, a necessity.”

Researchers said the malware is spreading via a variety of methods, including physical storage devices, such as USB sticks, floppy discs and CD-ROMs, and through visiting websites hosting malicious code and downloads performed by other viruses.

clear float

The news is sure to irk Microsoft who may now face an increased delay in some consumers adopting Vista at this early stage. However, it shouldn’t come as a surprise. Earlier this month Falling Leaf Systems said in a press release that it believed Microsoft was deceiving consumers by stating that the titles would only work on Vista, and announced its intentions to release compatability software to disprove the claim.

“Microsoft has, in typical Microsoft fashion, decided to launch their forced migration onslaught in full force with the release of two games that will only run on Windows Vista,” said Falling Leaf Systems CEO Brian Thomason in the press release.

“First they claim that it was impossible to implement DirectX 10 compatibility atop Windows XP, and now they also want us to believe that they couldn’t successfully launch two DirectX 9 based titles on XP either. We plan to expose both theories as patently false.”

It appears Warez has beaten Falling Leaf to its goal, although Windows Live and in-game achievements are features still only availalbe to Vista gamers.

As many as 115,000 mobile phones may have been struck by the malware, according to Spanish police.

“Mobile phone viruses are not nearly as common as the malware that strikes Windows desktops on a regular basis, but they are just as illegal in their intent,” said Graham Cluley, senior technology consultant for Sophos. “Viruses are not harmless pranks; they cause real harm disrupting business and personal communications as well as destroying and stealing sensitive data. The computer crime authorities around the globe are becoming more experienced at tracking down hackers and virus writers, and given this latest arrest, malware authors should be asking themselves whether it’s really worth taking the risk.”

Earlier this year, a survey conducted by Sophos revealed that 81 per cent of IT administrators said that they were concerned that malware and spyware were targeting mobile devices and will become a significant threat in the future. However, nearly two-thirds (64 per cent) admitted that they have no solution in place to secure company phones and PDAs.