PUNTA CANA—Costin Raiu is a cautious man. He measures his words carefully and says exactly what he means, and is not given to hyperbole or exaggeration. Raiu is the driving force behind much of the intricate research into APTs and targeted attacks that Kaspersky Lab’s Global Research and Analysis Team has been doing for the last few years, and he has first-hand knowledge of the depth and breadth of the tactics that top-tier attackers are using.
So when Raiu says he conducts his online activities under the assumption that his movements are being monitored by government hackers, it is not meant as a scare tactic. It is a simple statement of fact.
“I operate under the principle that my computer is owned by at least three governments,” Raiu said during a presentation he gave to industry analysts at the company’s analyst summit here on Thursday.
The comment drew some chuckles from the audience, but Raiu was not joking. Security experts for years have been telling users–especially enterprise users–to assume that their network or PC is compromised. The reasoning is that if you assume you’re owned then you’ll be more cautious about what you do. It’s the technical equivalent of telling a child to behave as if his mother is watching everything he does. It doesn’t always work, but it can’t hurt.
Raiu and his fellow researchers around the world are obvious targets for highly skilled attackers of all stripes. They spend their days analyzing new attack techniques and working out methods for countering them. Intelligence agencies, APT groups and cybercrime gangs all would love to know what researchers know and how they get their information. Just about every researcher has a story about being attacked or compromised at some point. It’s an occupational hazard.
But one of the things that the events of the last year have made clear is that the kind of paranoia and caution that Raiu and others who draw the attention of attackers employ as a matter of course should now be the default setting for the rest of us, as well. As researcher Claudio Guarnieri recently detailed, the Internet itself is compromised. Not this bit or that bit. The entire network. We now know that intelligence agencies have spent the last decade systematically penetrating virtually every portion of the Internet and are conducting surveillance and exploitation on a scale that a year ago would have seemed inconceivable to all but the most paranoid among us.
Email? Broken. Mobile communications? Broken. Web traffic? Really broken. Crypto? So, so broken.
It would be understandable, even natural, for most casual observers to have grown so completely overwhelmed by the inundation of stories about government surveillance and exploitation techniques that they tuned it out months ago. Why get worked up about something you can’t change? It’s like getting mad at cake for being delicious.
And that’s exactly the attitude that attackers want. Indeed, they depend on it. Complacency and indifference to clear threats are their lifeblood. Attackers can’t operate effectively without them.
The best response, of course, isn’t panic or indulging the urge to throw your laptop out the window and drop off the grid, as tempting as that might be. Rather, the best course of action is to follow Raiu’s simple advice. You’re being watched at all times; act accordingly.
Image from Flickr photos of Lyudagreen.