Bleak Outlook for Information Security, According to Researchers
December 3, 2007 Alex Woodie
Hackers, thieves, and malware writers continued to circumvent security measures and compromise the world’s computers in creative new ways during 2007, according to security researchers at the SANS Institute, which released its seventh-annual SANS Top 20 list of the most pressing security vulnerabilities yesterday. And next year doesn’t look a whole lot better, with an expected increase in parasitic crimeware, botnets, and targeted attacks on virtualization products, VoIP, and Vista, according to McAfee‘s Avert Labs, which released its Top 10 Threat Predictions for 2008.
For the last seven years, the highly respected SANS Institute has published a list of the most pressing security vulnerabilities in the IT industry. In years past, the list focused on identifying technical problems with specific products, with the hope that highlighting the problems would make users more secure and encourage the vendor to fix the problem.
That approach has been largely dropped this year due to the speed at which the field is evolving. “Because attackers are moving so quickly today, such point-fixes are outdated almost immediately,” the group says. Instead, SANS hopes to simply illuminate where attackers today are looking for weaknesses.
Web browsers continue to be the top targets of ne’er-do-wells, and they top SANS’ list. Vulnerabilities in the two dominant HTML viewers–Internet Explorer and Firefox–gave malware writers plenty of ways to infect Web surfers in 2007. Many attackers have exploited bugs in ActiveX controls, scripts, and third-party plug-ins, such as the Flash Player and Acrobat Reader. In some cases, problems in IE have allowed malware writers to exploit underlying Windows flaws.
As vulnerabilities in operating systems get patched, malware writers naturally drift toward trying to exploit flaws in traditional, fat-client software. Microsoft‘s Office products continue to get hit hard, but they’re not the only vulnerable applications. Adobe‘s Acrobat also had its share of vulnerabilities, as did Mozilla‘s Thunderbird and SeaMonkey e-mail products and Apple‘s Mail.app. In fact, e-mail clients had such a rough time of it this year that SANS gave it its own listing. Media players–always good for a vulnerability or three–continued their record run, with Windows Media Player, Real Networks RealPlayer, and Apple’s QuickTime and iTunes leading the pack.
While the desktop continues to be an area of big concern for security officers, servers and applications that run on servers had their share of vulnerabilities in 2007. One of the chief concerns is the rash of bugs being discovered and exploited in Web-based applications, especially the content management systems (CMS), wikis, portals, bulletin boards, and discussion forums, whether they’re written in PHP, .NET, J2EE, Ruby on Rails, or ColdFusion. “Every week hundreds of vulnerabilities are reported in commercially available and open source Web applications, and are actively exploited,” SANS says.
SANS had a special section devoted to Windows Services, and the problems this class of Windows programs can have on organizations trying to secure themselves. However, Windows isn’t the only operating system with a less-than-100-percent-secure architecture. Unix, Linux, and Mac OS also run certain vulnerable services by default, including SSH, FTP, and Telnet, which continue to be common ways of attacking a Unix-based machine.
Backup software is another problem area. After all, where else will evil-doers find, in one convenient location, all of the information that an organization deems its most critical? (Sort of like the response that Willy Sutton gave when asked why he robs banks: “Because that’s where the money is.”) Over the past year, three of the industry’s most popular backup products have been exploited through software vulnerabilities, including CA‘s BrightStor ARCServe, Symantec‘s Veritas NetBackup and Backup Exec products, and EMC‘s Legato Networker, SANS reports.
Not to be outdone, security software itself has been found vulnerable. SANS says problems have cropped up in the antivirus products from Symantec, F-Secure, Trend Micro, McAfee, CA, Sophos, and the open source ClamAV. Other problems have been found in management servers, such as Hewlett-Packard‘s OpenView; and in database management systems (all of the most popular ones, except IBM‘s Informix, Sybase, and MySQL, interestingly).
Miscellaneous Security Flaws
SANS also shined the light on potentially deficient procedures used by organizations. Many users have too much authority granted to them, which could allow hackers to gain access to sensitive information through the use of a keylogger or other bit of malware. In some cases, physical security is not tight enough, such as when a user is allowed to introduce an infected device, such as a USB memory stick, into the corporate IT environment. Also, unencrypted laptops and other storage devices that are lost continue to provide the criminal underworld with a never-ending supply of sensitive data.
People are also continuing to fall victim to phishing attempts, either through e-mail spam or its instant messaging (IM) counterpart, SPIM. In fact, SANS has witnessed a new type of phishing attack, where the victim receives a highly targeted e-mail that includes information about the staff or current organizational issues that make it appear genuine. Of course, this form of targeted attack is called spear phishing. Worm and virus attacks on IM continue to escalate, SANS says.
You might know peer-to-peer (P2P) networks as the place to get free (but illegal) music downloads, but the hacker community sees P2P networks as the way to significantly grow the size of their botnet armies. The largest of these botnets, the Storm botnet, grew to epic proportions in 2007, and now includes up to 50 million infected subjugates.
Voice over IP (VoIP) is also getting its share of attention from malware writers, who are eager to make their mark in this fresh, green field with phishing scams, eavesdropping, toll fraud, and denial-of-service attacks. Perhaps most troubling is the potential for VoIP scammers to use the growing integration between VoIP hubs and traditional PBX phone systems to launch attacks against the Public Switched Telephone Network. Ma Bell would not approve of that, and neither should you, which means taking all possible precautions to secure your VoIP system. In other words, apply application patches quickly, keep underlying OSes patched, disable all unnecessary services, run lots of firewalls and IPSes, and do vulnerability scans often.
Outlook for 2008
Considering the bleak state of security in 2007, things have to be looking up for 2008, right? Not so, according to McAfee’s Avert Labs, which published its annual top 10 list of security predictions last week.
McAfee’s research points to the continuing resilience of viruses and Trojans, and the importance of antivirus software, which are areas of IT security that lately seemed to have tailed off somewhat, in light of all the other new and exciting ways of getting infected on the Net. Over the past 12 months, McAfee has recorded more than 100,000 new viruses and Trojans, a 50 percent jump in the total number of threats ever cataloged, the company says. The virus lives on.
But leading off McAfee’s list is a lone bright spot: the decline of adware. Thanks to new laws prohibiting this advertising technique, the amount of adware on the Net has declined since the summer of 2005, and will continue to decline next year, McAfee says.
With that lone bright spot out of the way, McAfee is free to focus on the negative trends, which dominate its top 10 list. The rise of botnets, as exemplified by Storm, will continue to be a big problem in 2008, as botnet masters seek to emulate Storm’s success. Crimeware and phishing will become more sophisticated next year, as criminals get smarter about infiltrating their targets. “Parasitic crimeware,” which is software designed to steal information using the traditional techniques pioneered by virus writers, will grow by 20 percent in 2008, McAfee says.
Attacks on IM clients will continue to increase next year, as the number found in IM software continues to go up. McAfee raises the specter of the self-executing IM worm, which hasn’t yet been found in the wild. If this hypothetical beast were to be unleashed on the world, it could “spawn millions of users and circle the globe in a matter of seconds.” Now that’s a nice thought.
McAfee highlighted the growth in use of virtualization software–in particular, VMWare‘s–as cause for alarm in 2008. The number of vulnerabilities found in VMWare products increased by a factor of five last year, McAfee says. Hackers will be trying to exploit those vulnerabilities in 2008, the company says.
Windows Vista will also “join the party,” so to speak, in 2008. In the number of vulnerabilities found in Windows XP following its release is any guide (and it may or may not be), the number of Vista vulnerabilities will grow considerably next year, according to McAfee.
The threat posed by the growth of VoIP didn’t pass McAfee by. The security group found the number of VoIP vulnerabilities doubled this year compared to 2006. As a result, the number of “vishing” attacks should grow by 50 percent in 2008, as early adopters struggle to secure their shiny new VoIP systems. “It’s clear that VoIP threats have arrived and there’s no sign of a slowdown,” McAfee warns.
Last but not least on McAfee’s list is Web 2.0. While the Internet phenomenon is leading to a resurgence online, it’s also not helping security. So-called “social networking” sites are giving criminals a wealth of information to craft their cyber attacks, when all they had before was a small nugget.
While the IT industry gives us increasingly sophisticated tools to connect ourselves in valuable new ways, those technological advances are also falling into the hands of hackers, thieves, and other criminals, making their jobs easier. Security officers need to be even more vigilant and skeptical about weighing the benefits of using the new technology against the possible holes they will open in their armor.