Symantec’s Top 10 Internet Security Trends

November 19, 2007

Topping Symantec’s list of 2007 security trends is data breaches. It’s not hard to understand why: According to a 2006 study by the Ponemon Institute, data breaches cost an average of $4.7 million per incident and are predicted to cost even more in the future. That’s not the sort of outlay any IT pro wants to own. “Data breaches are indicative of an underlying trend: a movement away from hobbyist attacks… to targeted financially motivated attacks,” said Amrit Williams, CTO of enterprise security company BigFix and a former IT security analyst for Gartner. “When you have a motivation that’s driven by financial gain, the goal is to be quiet. You don’t want to be seen. What the attackers are after is not to bring systems down. They’re after the information itself.”

Symantec’s number two security trend for 2007 is Windows Vista, which has seen 16 security patches since its introduction. Both Symantec and McAfee foresee more attention being paid to Vista by malware writers as Vista adoption continues.

Third on Symantec’s list is spam, which reached record levels in 2007, according to the company. That may seem improbable given the vast sea of spam in which we’ve been swimming for the past few years, but spammers’ fortunes are buoyed by their ever-rising tide of unwanted messages. Thus, we now have to contend with spam in new bulky flavors — image spam, PDF spam, MP3 spam, and greeting card spam — that strains server resources even further.

A tasty irony: Offline, the mafia has long been involved with garbage collection; online, the cyber mafia is in the business of garbage generation and it’s the security industry that makes a killing cleaning up.

And, as Williams and others have said, it is a business. Symantec claims that a member of the Fujacks cybercrime gang once boasted, “This is a better money-making industry than real estate.”

To sustain that business and improve margins, cybercriminals are creating professional attack kits. That’s the fourth-ranked trend on Symantec’s list. “Forty-two percent of phishing Web sites observed in the first half of the year were associated with three phishing toolkits,” according to Symantec. Kits like WebAttacker and MPack make malicious expertise available globally in an instant, with the only requirements being a download, some IT savvy, and contempt for the law. Keeping with the professionalization of cybercrime are the fifth-, sixth-, and seventh-ranked security trends of 2007: phishing, exploitation of trusted brands, and bots, respectively. Phishing sites rose 18% in the first half of the year, according to Symantec, and the bots conquered Estonia in May, albeit briefly.

The eighth-ranked trend of 2007, as Symantec sees it, is Web plug-in vulnerabilities.

Number nine gets back to the professionalization of cybercrime: The creation of a market for security vulnerabilities. WabiSabiLabi aspires to be an informational eBay for legitimate buyers to obtain information about security flaws that isn’t yet public knowledge. If the market works, and it appears to be doing so, companies may discover that the cost of security is more than they expected.

Finally, the last item on Symantec’s list is virtual machine security. Virtualization is all the rage, because of perceived benefits in terms of cost and flexibility of management. Security is in there too, but there’s some debate about whether virtualization creates security problems, too. Symantec expects malware writers will give the skeptics some ammunition as they find ways into virtualized systems.

Looking ahead, Symantec sees storm clouds, which proves convenient for a company that sells umbrellas, so to speak. It expects election season social engineering to victimize computer users in 2008. It foresees increasingly sophisticated bots that can host phishing sites on the compromised computers of unwitting consumers — have fun explaining that to the FBI when they seize your PC.

Web-based threats will continue, Symantec expects, particularly as browsers become more uniform in the way they respond to scripting languages like JavaScript. And cross-site scripting exploits work, so malware writers can be counted on to continue making use of them.

As mobile phones, particularly smartphones with complex operating systems, continue to become more popular, Symantec sees hacker interest following. What luck that security companies are already offering mobile security software.

And like McAfee, Symantec expects attacks on virtual worlds to rise. There’s already a thriving market for virtual goods and it’s probably a safe bet that the FBI won’t send agents to recover your stolen gold or Axe of the Gronn Lords.

Such threats won’t be fixed by products, Williams insisted. He expects that the IT security story of 2008 will be the convergence of security and systems management. “It’s too costly, difficult, and challenging to maintain separate infrastructures,” he said.


BusinessWeek:Looming Online Security Threats in 2008

November 16, 2007

by Aaron Ricadela

It’s nearly enough to make you long for the days of typo-ridden e-mails pretending to come from your bank.

As Internet users display more of their personal information on social networking Web sites, and office workers upload more sensitive data to online software programs, computer hackers are employing increasingly sophisticated methods to pry that information loose. In many cases, they’re devising small attacks that can fly under the radar of traditional security software, while exploiting the trust users place in popular business and consumer Web sites.

In September, the names and contact information for tens of thousands of customers of Automatic Data Processing and SunTrust Banks were stolen from CRM, which provides online customer management software for those two companies. The incident occurred after a hacker tricked a Salesforce employee into disclosing a password.

The assaults on consumer sites are getting more unnerving as well. A security researcher reported Nov. 8 that hackers had hijacked pages on News Corp.’s social networking site MySpace, including the home page of singer Alicia Keys. Clicking nearly anywhere on the page would lead viewers to a Web site in China that tries to trick them into downloading software that can take over their PCs. “We’re going to see a lot more of this in the consumer space,” says John Pescatore, an Internet security analyst for Gartner IT.

Exploiting Trust

These kinds of targeted attacks on Web-based services may constitute the top computer security threats of 2008, according to security experts. “One of the biggest challenges of 2008 will be, how do you do business online when you know there’s a bad guy in the middle?” says Chris Rouland, chief technology officer in IBM’s Internet security systems division. “The personal computer isn’t the target of 2008; it’s the browser,” he says. IBM sees the landscape changing profoundly enough that the company plans to spend $1.5 billion next year to develop security suites that can address a broad array of threats rather than different products aimed at specific security risks.

Although a rash of e-mail-borne virus outbreaks in recent years have made most PC users wary of opening attachments or clicking on links in suspicious messages, it may be harder to prevent attacks that exploit the Web-based lists of friends and business contacts that users store in widely used services and social networks. “We’ve definitely seen the bad guys use malware to go after friends lists on MySpace and Facebook,” says Pescatore. “They’re exploiting trust.”

By targeting a relatively small number of users at a time—tens of thousands vs. millions—new hacking strategies can elude efforts to detect them. Hackers also are employing more professional approaches to maximize damage without being caught. These include division of labor by hacking expertise and wider use of black-market sites to hire programmers and purchase professional malware-writing tools.

Hackers Shift Attacks

Factor in the growing variety of places where people are connecting to the Internet—from work, from home, from Starbucks —and the growing array of devices they’re using to do so, and the coming year could present a potent brew of problems.

Although traditional PC software such as Microsoft’s Windows operating system and Office programs still present the broadest target because of their hundreds of millions of users, hackers are increasingly attacking online services, says Scott Charney, Microsoft vice-president for trustworthy computing. Worse, traditional virus attacks that crash PCs or issue floods of commands to overwhelm Web sites are being augmented with malicious software that can swipe personal information, such as bank and credit-card numbers.

To be sure, it’s in the interest of companies that sell security software to maximize fears that there’s a cyberthreat lurking behind every mouse click. At the same time, the sheer size of attacks is getting larger, and the Web’s incursion into nearly every facet of daily life presents attackers with more ways than ever to strike.

Cellular and Corporate Caution

For consumers, it’s not just their profiles on social networks that can be mined for personal information. Sophisticated smartphones that run full-fledged operating systems and e-mail applications, and hence store more valuable data, could present tempting targets. Security researchers have found numerous ways to break into prominent mobile-phone platforms from Symbian and Microsoft, and quickly demonstrated ways to hack into Apple’s new iPhone. “All of a sudden on that phone is the stuff the identity
thieves go after,” says Gartner’s Pescatore, noting security vendors have been hyping the cell-phone threat for years, while the damage hasn’t amounted to much.

In the corporate world, criminals are hunting for more of the valuable information stored on companies’ servers. A computer breach at T.J. Maxx in 2005 and 2006 may have handed hackers access to credit- and debit-card numbers for up to 94 million of the retailer’s customers—double what the company originally reported, according to court documents filed by Visa and MasterCard  in October.

Cyberthieves are also attacking corporate databases in search of undisclosed financial data or proprietary design and engineering information that can be sold, says Phil Dunkelberger, CEO of security software company PGP. “The really big money now is going to be in stealing intellectual property,” he says.

Viruses: More Sophisticated Bait

Hackers are also unleashing viruses that can recruit armies of consumer PCs into larger networks of remote-controlled machines. These “botnets” can distribute spam, attack database software, or keep a record of users’ keystrokes. One of the worst, Storm Worm, has infected tens of millions of PCs this year.

Even the messages containing virus payloads are getting slicker. In the past, as compared with the sophistication of the viruses, the e-mails carrying them were rather crude. That made users less likely to follow their instructions, says David Perry, director of global education at security software vendor Trend Micro. “These were really well-written viruses, but nobody in the U.S. would click on them because they sounded like they came from Boris and Natasha,” he says, referring to Cold War characters from the old Rocky & Bullwinkle cartoons. Now, he says, “they’re hiring professionals” to write the e-mails.

Security Tips

Given the assortment of nasty behavior befouling the Internet, what’s a PC user to do? consulted the experts, who offered the following advice:

  • Don’t give away any valuable or sensitive personal information on your MySpace or Facebook profile, or within messages to other members of the network. And don’t click on any links in social network messages from people you don’t know.
  • No reputable company will ask for your password, account number, or other log-in information via e-mail or instant message.
  • Use one of the many antivirus, antispyware, and firewall programs on the market. Often, vendors offer all three functions in a single package. And many Internet service providers offer them free with your monthly subscription.
  • Upgrade your browser to the most current version. From Microsoft, that’s Internet Explorer 7, Mozilla’s Firefox is on version 2, as is Apple’s Safari browser.
  • Pay attention to the messages from Windows that pop up on your screen, especially in the new Vista operating system. They often contain helpful security information that many users overlook.
  • Turn on Windows’ automatic-update function to get Microsoft’s regular security patches.