Q&A: Websense threat research manager, Carl Leonard

Carl Leonard: Web 2.0 has been the most significant change in the industry

Carl Leonard discusses Web 2.0, user-generated content and the dangers of drive-by malware.

V3.co.uk: As head of the Websense European threat research team, what does your role entail?
Carl Leonard: The security labs division is made up of a strong team of experts located globally. Our main aim is to develop product features; we play a key role in deciding where a product line should go based on the threats we're seeing. We focus on developing back-end processes so we can scale to meet the current threat landscape. In our last biannual threat report we found that malware sites increased by 670 per cent in one year, so being able to scale and develop products to meet the needs of enterprises is key. All our work goes into automating processes, and feeds into the ThreatSeeker network, the key technology we developed over a number of years which can parse through over one billion pieces of content each day and scan over 40 million sites an hour.

You've been analysing threats for over six years now. What have been the biggest changes during that time?
The uptake of Web 2.0 for business and personal use has been the most significant change in the industry. I mean types of sites which offer the ability to leave user-generated content, so the end user dictates to an extent what is displayed on the web site. User-generated web spam on posts and comments on these sites is not going away anytime soon. Malware authors know people go to these sites so, if they can encourage people to click on the links in these posts, it's an easy way to infect a lot of people. Tactics have changed a lot on the part of the hackers; phishing attacks are decreasing, for example, because it's now a well-discussed topic, so instead the hackers are installing malicious code on legitimate sites. This is better than creating new sites and trying to encourage people to go to them, having the code up there for two weeks. If you can compromise a legitimate site with a drive-by download, 10,000 people may visit in just 30 minutes. It's quick impact.

Are there any other current trends worth noting?
An increase in emails containing malicious links. The spammers may be collaborating with the malware authors to drive people to click through to malicious sites. Also the amount of search engine optimisation is really coming to the fore now. Any hot news of a celebrity, if you type it into a search engine, could return results linking to malicious sites. Users can't rely on the search engines to filter these results.

Do you ever feel like the good guys are fighting a losing battle?
No. I think that the last few months have shown the real impact made by the security community working with law enforcers; first the McColo shut down then the Pricewert ISP this summer. It's a good start, although the nature of malware activity is that they learn from these actions, so we could see more distributed code in future so that not all their eggs are in one basket.

There has been a lot of press about social networking threats. Where do you think the newest threats are coming from?
Well, the Facebook security team seem pretty hot on things. As regards Twitter, it is always a learning experience because it is new technology. You know the typical attacks that might occur, but sometimes they manifest themselves in unusual ways, as was seen in Twitter spam and the increase in malicious tweets. For customers trying to protect their own environments it's difficult to predict how the next threat will manifest itself, which is another reason why hosted services can be so useful. The IT team can also help by ensuring that policies are being enforced and configured correctly.