The security evolution

Viruses have been around almost as long as computers, and even though anti-virus is now only one of the smallest parts of the security landscape the reality is that security is a perennial IT issue that will not be going away any time soon. One of the reasons for this is that it’s a fast moving target, the nature of security threats change over time and the security landscape in 2003 was radically different to today.

Cyber-crime is no longer the domain of teenage hackers seeking notoriety by wreaking havoc on the Internet, says Phil Vasic, A/NZ country manager, Websense. “Organised criminal gangs are using the web for financial gain – attacks are now invisible and information is being stolen without the victims even knowing. Techniques are continuously evolving and have become ever more sophisticated. In the past five years, there has been a massive increase in targeted phishing and pharming attacks, and the use of spyware, botnets and keyloggers.”

According to MessageLabs product marketing manager, Philip Routley, 2003/4 represented the high water mark for malware created by disaffected geeks seeking notoriety and the script kiddies who try to emulate their exploits. “In January 2003 Sobig arrived on the scene, followed by Sobig.f in July causing numerous global ISPs to strain under the email load generated. Post Sobig, a whole slew of copycat viruses with names such as Mydoom, Sober, Bagel, Netsky dominated the IT press throughout 2004.”

After this series of outbreaks, malware became increasingly driven by organised crime seeking to make money and in late 2006 security companies were seeing the next new threat evolve – botnets. A botnet is a large number of compromised computers which can be used to create and send spam or viruses or flood a network with messages as a denial of service attack. The computer is compromised via a Trojan and there is a thriving botnet business selling lists of compromised computers to hackers and spammers. The early botnets were primitive but over time they have become incredibly complex.

“Sparthru, a new Trojan, appeared late in the year,” says Routley. “This Trojan was unique in that it had in-built peer-to-peer technology so that all the infected bots could theoretically communicate with each other, it contained its own AV engine in order to displace one’s bot competitor and each individual bot was also armed with a template and a swathe of email addresses so it could function independent of the connection to the bot header software.”

History has a way of repeating itself and computer security is no different in that regard. Last year’s Storm Trojan, which derived its name from emails claiming to report on the weather in northern Europe, was even more sophisticated and its botnet is now estimated to comprise 1.8 million computers worldwide.

Nevertheless, the growth in botnets is really only one symptom of the wider trend towards a criminalisation of cyber attacks, says Leigh Costin, product marketing manager Asia Pacific, Blue Coat Systems. “The biggest trend of the past five years has been the criminalisation of Internet threats. The targets are now mainly sources of money such as credit card numbers, identities and bank details and the means are more complex combined or blended attacks, using email, obscured weblinks, website hijacks, and hijacks of sections of popular websites.”

David Dzienciol, director partner sales, Symantec, agrees that botnets are a major problem but high-profile data breaches have steadily increased over the past five years. Hand in hand with data breaches, phishing has become a major security threat with phishing toolkits and professional attack kits such as MPack becoming popular.

“The exploitation of trusted brands, placing malicious code on sites such as the Sydney Opera House has also been a prevalent trend. By exploiting a trusted Web environment, attackers now prefer to lie in wait for victims to come to them. It has also become big business to sell vulnerability information to the highest bidder and ActiveX vulnerabilities are a problem.”

Another overarching trend has been the growth of managed security service providers. In 2003, many organisations were trying to do it all themselves but the skills shortage has made it difficult to recruit and keep experienced security-trained personnel. The situation has now got to the point where even large financial institutions, that for obvious reasons tend to be focused on security, are outsourcing some of the commoditised functions such as firewall and intrusion detection monitoring.

The trend towards managed services will continue to grow, says Routley. “IDC forecast 36.3 percent growth in managed services between 2006 and 2011 worldwide. Software is predicted to grow 7.7 percent in the same period and appliances at 27.9 percent.”

So what of the future threat environment? What are some of the threats starting to rear their heads that are likely to become mainstream by 2013? One of the most obvious is the explosion of Web 2.0 technologies such as social networks, web widgets, gadgets, modules and mash-up technologies are bringing a whole new dynamic to how people use the Internet.

“The popularity of these technologies will lead attackers to the wealth of opportunities to infiltrate groups, spread malicious code and defraud users,” says Vasic. “With the brand popularity and growing use of iPhones and Macintosh computers, attackers will increasingly launch cross-platform Web attacks that detect the operating system in use and serve up code specifically targeting that operating system instead of attacks based on just the Web browser.”

Costin believes that increasingly sophisticated attacks on e-Government and other high traffic sites will become prevalent. “It won’t be targeting the whole site, but rather just hijacking a section of it – an iFrame attack for example. The rest of the site is okay, but one part isn’t. So far these attacks have been rather crude, just as early phishing sites were crude, but they will get better as they were quite successful.

“Spear phishing, highly targeted attacks that focus on a single outcome will also become more prevalent. A recent example was the Salesforce.com attack. The attack lasted about 17 hours but once the perpetrators got what they wanted they shut the attack down.

“There is also a trend toward mobile as an attack means. The earlier threats didn’t turn up, but as more people start to use mobile money [stored value on mobile phones] and particularly mobile banking, there will be a new better reason to target phones and WiFi networks. This also means that laptops could become more of a target as Bluetooth and HSDPA (3G mobile data) become more commonly used.”
Businesses are increasingly sharing information across their extended enterprises and engaging in more complex e-commerce transactions. These new technologies are creating great opportunities, but also introducing new security risks which will become apparent over the next five years.

“It could get to the point where a major election campaign gets hacked,” says Dzienciol. “As political candidates increasingly turn to the Internet it is important to understand the associated IT security risks. The diversion of online campaign donations, dissemination of misinformation, fraud, phishing and the invasion of privacy are all possible scenarios.”

Web services are becoming more and more common as a way of tying applications together. But as browsers continue to converge on a uniform interpretation standard for scripting languages, such as JavaScript, the number of new web-based threats will continue to increase.

It is also likely that persistent virtual worlds (PVWs) and massively multiplayer online games (MMPOGs) such as Second Life and World of Warcraft will have another thing in common with the real world as phishers, spammers, and others turn their attention to these new communities.

Eric Krieger, country manager A/NZ Secure Computing, says that just as IT departments are continually looking for efficiencies attackers are using resources more efficiently.

“They’re first checking whether or not your computer has a security patch installed that will prevent their malicious software from being successful. If it does have up-to-date security installed, it will not attack that unit.”

There will also be a change in emphasis from attacking operating systems to attempting to compromise applications such as the recent example of the Apple QuickTime header stack buffer overflow vulnerability. “In the past, most attacks have been carried out via operating systems because most computers come bundled with the software or have it preinstalled.

“However, as security measures have now made core software difficult to exploit, attackers may turn their attention to other, self-installed software that does not have automatic updates to protect it from being used maliciously,” Krieger says.

Although analysts and vendors have been predicting for several years that mobile phone malware was set to break out any day soon, Vasic believes that it will happen in the next five years. “The vast cell phone user population has grown into a lucrative market to exploit with spamming and “vishing,” the practice of using social engineering and Voice over IP (VoIP) to gain personal and financial information for financial gain set to take off.

“To date, researchers have seen an increased number of vishing attacks but not a lot of spam or proactive automated calling. Vishing and voice spam will combine and increase, users will receive automated voice calls on land lines with voice spam to lure them to input their credentials through the telephone.”

Vendors and analysts do get it wrong sometimes, however, to be fair it’s more often the case that time frames will be out rather than someone predicting something that just never actually happens.

One of the major predicted threats that so far has failed to materialise says Routley is SPIM – spam over IM.

“While it does exist, it has yet to achieve the predicted levels and is miniscule compared to spam. Viruses and spam via mobile phone technology hasn’t increased in line with adoption levels for the hardware, VoIP threats have also not risen as much as was predicted.”

On a lighter note, Costin points out that no one single vulnerability or threat has ended the Internet world as we know it.

“Mobile phone viruses of all types, SMS, MMS, spam, hijackings, direct virus infections and so on, are still not prevalent. The lack of a common OS and the number of proprietary OS have been the main cause of this.

“Although there is the issue of once you hijack a mobile phone what do you do with it? Right now, not much is the general answer. This will change as Smart Phones become more popular and the phone becomes a place to store credit and valuable content.”

Another dire prediction that has failed to come true is that spam was going to destroy email as a viable tool for anything but after many years of spam running at 70-98 percent of all email traffic, email is still usable, we still rely on it.”

Despite its many flaws and vulnerabilities, Windows is still here and hasn’t been compromised out of existence. On that note, no one major OS variant (Windows, MacOS, Linux) has proven itself to be implicitly safer than any other. The same goes for Open Source versus proprietary software. It’s still a case of user take care.