Last year we saw hackers exploit trusted brands, and we can expect to see more of the same this year – especially with the popularity (and relative insecurity) of social networking sites.
The threat of choice typically involves modifying Web pages to serve up malicious content to visitors. So instead of directly attacking users, the attackers let users come to them.
It’s also easier for the bad guys to pull off these attacks. Last year we saw the proliferation of professional attack kits for sale over the Web (a phishing kit, for example, allows somebody to set up every aspect of a phishing attack). “The guys selling this stuff are providing updates, just like you would see with a legitimate software provider,” said Marc Fossi, a security specialist with Symantec Canada.
This coming year we can expect to see the continuation and evolution of current security threats. Here are some of the top ones to look out for in 2008:
1. The Olympics
Last year we started to see more attacks surrounding large-scale events, so this summer’s Olympic Games in Beijing will be something to watch out for, said Stephan Chenette, director of the Western security lab with Websense. “It’s a huge event, and it’s occurring in China,” he said. “And of the top countries where we see attacks coming from, China is in the top three.” If an exploit is put on that particular Web site, a large number of visitors will be at risk – and we can expect to see more of these types of attacks occur around holidays or sporting events.
2. More Mac attacks
It’s not that the Mac is becoming more vulnerable in terms of its security, but simply that the platform is becoming more popular. As more people use Macs and iPhones to surf the Web, more attackers will be targeting those users and crafting specific exploits for the Mac or the iPhone, said Chenette.
3. More mobile attacks – thanks to the iPhone
We’re also seeing more robust cell phones, thanks to the popularity of the iPhone. “With this comes the capability of these devices to face the same sort of threats that your PC would face,” said Fossi.
Other cell phone manufacturers are looking at Apple’s success with the iPhone and looking to design similar devices. As a result, more banks are designing their Web portals for mobile browsers.
4. Social networking sites
In the past, the Web site owner created the content of the Web site. Now the 20 most popular sites are social networking sites using Web 2.0 technologies, said Chenette. That means the content is created by users – not the Web site owners. And there’s generally no security model built around the content or applications that are going onto these Web 2.0-driven Web sites.
“Any user can be creating content for Web 2.0-driven Web sites, which opens up a large possibility that there’s malicious content being placed on those sites,” he said. Typically in this scenario visitors to the site will be directed to another Web site that is owned directly by a malicious attacker.
Last year we started to see vishing – a form of phishing through voicemail – where attackers call cell phones, leave a voicemail with a particular number to call, and upon calling back users are asked for personal information. We can expect to see a lot more of it this year, thanks to the increased use of cell phones.
6. Morphing Java script
In order to evade anti-virus signatures and other Web scanners, a lot of attackers are now morphing their Web content, said Chenette. This means when a user visits a particular malicious site, the attacker can serve up different malicious content to that user every single time. “It makes it a lot more difficult for AV vendors to detect malicious content,” he said.
7. The bot evolution
Traditionally bots had a central command-and-control centre, so if you cut the head off, the rest would die out. Now we’re seeing peer networks, so there’s no single centralized command point. “They’re becoming a lot more difficult to take down,” said Fossi. “We’re expecting that the rest of the bot building community will start to adapt these types of tactics on a more widespread basis.”
The reality is, most Canadian firms haven’t even covered off the most basic tenets of security, said David Senf, director of Canadian security and software research with IDC Canada.
For example, we don’t have a lot of identity and access management deployed in Canada, he said.
Last year we heard about some significant security breaches, from the British government to TJX. “Those aren’t surprising,” said Senf. “What’s surprising is there hasn’t been more given the state of IT security.”
We’ll likely hear about more breaches this year, including social engineering attacks over social networking sites. “We saw that emerge [last year] as something real.”
We’ll also hear more from regulators and the privacy commissioner, as well as the credit card industry around PCI. “That will push more retailers and firms that deal with credit card transactions to beef up their security,” said Senf.
It’s not all bad news. Websense predicts this year key members of hacker groups will be taken down and arrested – hopefully that would include the Storm attack group, the organization responsible for a number of large-scale attacks over the Web.
There are also more creative ways authorities can go after group members, since they’re often involved in myriad illegal activities, such as gambling or child pornography.
“Law enforcement has learned quite a bit about how these groups work,” said Chenette.