Cyber security threats grow in sophistication, subtlety and power
Researchers say malware, botnets, cyber warfare, threats to VoIP and mobile devices, and the "evolving cyber crime economy" are ever-more sophisticated threats
The annual report from Georgia Tech Information Security Center identifies five evolving cyber security threats, and the news is not good.
GTISC interviewed a range of industry security experts to explore the threats and the available countermeasures. The five are malware, botnets, cyber warfare, threats to VoIP and mobile devices, and the "evolving cyber crime economy."
In all five areas, attackers are becoming increasingly sophisticated, increasingly subtle, and increasingly adept at exploiting new Web developments, such as the rise of social network sites. Industry and government need to become equally concerted and sophisticated to contain these threats if the Internet is to be a trusted communications medium.
The just-released report, "Emerging Cyber Threats Report for 2009: Mobility and Questions of Responsibility will Drive Cyber Threats in 2009 and Beyond," is online.
Malware development expertise is rapidly maturing, skills that are perfectly suited to exploit the continued weaknesses of poorly configured Web sites, especially social networking sites. The report cited Ryan Naraine, security evangelist for Kaspersky, as predicting a 10-fold increase in malware objects detected in 2008.
"As cyber criminals move beyond mass-distribution style phishing scams, they are learning how to localize and personalize their attacks for better penetration," according to the GTISC report. "Social networking sites like MySpace, Facebook and others will likely be used as delivery mechanisms to get unsuspecting users to a malicious Web site link in order to deliver malware."
As an example, the report described an exploit that sends a Facebook message from one friend to another, about a YouTube video, including a link to the clip. The recipient clicks on the link, sees a prompt to download an updated version of Flash player to run the clip. When he clicks on the update, it actually installs malware on his computer.
Another weakness that malware continues to exploit is the delay in patching and updating software on enterprise computers. Kaspersky's Naraine says the average corporation takes three to five months to apply a Windows patch everywhere, giving that much more time for malware programs and the botnets that they call into being to take advantage of known weaknesses.
Researchers at GTISC estimate that 15% of all online computers in 2008 will become part of botnets – infected with code that effectively puts them under the control of a remote botmaster. That's up from an estimated 10% in 2007.
One massive recent botnet was created by an 18-year-old New Zealander.
Infections can occur even through legitimate Web sites, botnet delivery mechanisms are becoming more sophisticated and subtle, and users don't have to actually do anything, except load a Web page, in order to enable botnet infections.
Uncovering bot communications is extremely difficult, according to Wenke Lee, an associate professor at GTISC and a leading botnet researcher. "It's very difficult to filter bot traffic at the network edge since it uses http and every enterprise allows http traffic," Lee says.
The GTISC report cites a second quarter 2008 assessment by Panda Labs, which found 10 million bot computers were used to distribute spam and malware over the Internet every day.
One of the most troubling sections in the report deals with cyberwar: the deliberate use by one nation of computer technology to weaken, cripple or confuse an enemy nation's military, economic and infrastructure assets.
The report cites the work of Don Jackson, director of threat intelligence for SecureWorks, in compiling research that implicates the Russian government in cyber attacks against Georgia just a few months ago. For example, most Georgian Internet traffic is routed through Turkey and Russia. As of Aug. 10, 2008, the day after the Russian Air Force was given the green light for air attacks, traffic routed through Turkey was almost completely blocked, and IP traffic through Russia "was slow and effectively unusable," according to the GTISC report.
Estonia faced cyber attacks in 2007.
We can expect such attacks to increase. Jon Ramsey, CTO for SecureWorks, says there are several reasons why: such attacks are inexpensive to mount compared with conventional warfighting; cyber defenses are weak or non-existent; the Internet offers "plausible deniability" for attackers; there are no "rules of engagement" to govern such cyber conflicts among nations.
VoIP and mobile devices
VoIP traffic, like e-mail, will be targeted for fraud, theft, and other scams. As wireless VoIP expands, denial of service becomes more than an inconvenience: in the case of service provider, an attacker could attempt to blackmail the provider with widespread voice disruption, according to Tom Cross, a researcher with the IBM Internet Security Systems X-Force team.
Mobile devices will draw cyber criminals as the handhelds are used more often for transacting business and accessing sensitive data such as credit reports, according to Dave Amster, vice president of security investigations for Equifax. One prospect is that smartphones will be targeted for immense malware driven mobile botnets.
The very lack of open security standards in mobility today is actually a good thing, because it provides industry players the chance to develop and apply them comprehensively, an opportunity missed for PCs, according to the report.
Cyber criminals are increasingly professional, organized and profit-driven, the report argues. It notes that would-be criminals now can buy, lease, subscribe, or pay-as-you-go to obtain the latest in malware kits, complete with product guarantees and even service-level agreements. According to one researcher in the report, a few even have multiple language customer support.
The costs of cybercrime to business is mounting.
Gunter Ollmann, chief security strategist for IBM Internet Security Systems, identifies three tiers in this unfolding criminal industry: low-level criminals who buy and use kits to execute specific crimes; skilled developers, often in groups, working to develop new components for their commercial malware-creation products; and "managed service providers" that can apply and sustain malware attacks on a global scale.
Meeting these threats will require a three-pronged initiative, according to the report: technology, regulation, and education. Technology such as DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) to sign e-mails, coupled with user education, can almost entirely eliminate phishing as a problem, according to some security researchers. One possible avenue for government regulation is modeled on auto insurance, which auto owners in most states are required to buy. Government could require purchase and update of appropriate security applications, according to researchers.