Cybercrime reports: Security not broken, but breaking at the seams

By Ron Condon, U.K. Bureau Chief 31 Dec 2008 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

The article then went on to cite some mind-blowing statistics to substantiate the claim. For instance, according to the Georgia Tech Information Security Center, 15% of all PCs connected to the Internet have been turned into spambots, unwittingly spreading spam and malware to other users. With the world population of Internet users estimated to be nearing 1.5 billion, botnets consisting of several hundred thousand machines are becoming the norm.

This is hardly surprising. The Internet is used mostly by people who have little or no concept of the threats, and who will happily respond to 419 scams, phishing emails and unsolicited messages. They are easy prey for those who want to hijack their machines.

Driving botnets and malware is a growing criminal industry that thrives on a powerful combination of maximum opportunity and near-zero chance of detection and punishment. The Organization for Security and Co-operation in Europe (OSCE) suggests conservatively that the underground economy of credit card thefts, bank fraud and other scams robs computer users of an estimated $100 billion a year.

But does all this matter to the U.K. security professional whose job it is to guard the information and systems of his or her organisation? The Internet may be a dangerous place for the poorly trained and unwary, but when it comes to defending our own systems, is the situation really out of control?

Even the most optimistic voices in the security industry admit the situation is getting more difficult. The rise of the large-scale botnet, for instance, makes it hard for traditional defence mechanisms to operate. When spam and malware are being fired not from a single source, but from a vast, constantly changing army of machines, it becomes futile to try and block specific IP addresses.

Furthermore, as MessageLabs Inc. points out in its end-of-year report, "In 2008, spammers developed an affinity for spamming from large, reputable Web-based email and application services by defeating CAPTCHA techniques to generate massive numbers of personal accounts from these services. In January, 6.5% of spam originated from these hosted webmail accounts, peaking in September when 25% of spam originated from these sources, averaging about 12% for the remainder of the year."

CAPTCHA covers those techniques that webmail and social networking sites use to prevent automatic creation of accounts, usually sending a picture of a word or phrase for the user to enter in order to prove their credentials. But as MessageLabs has shown, the hackers have found ways around CAPTCHA, either by employing low-paid workers to register accounts, or developing software to crack the CAPTCHA codes.

Systems that work by blocking access to known URLs are similarly challenged. Security firm Sophos Plc said it discovers a newly infected Web page every 4 seconds. So any defence mechanism that works on a daily refresh of its database of dodgy websites is going to be hopelessly out of date. Many of the guilty websites will have been created and then taken down again before they are logged on the blacklist.

More worryingly, as Sophos points out in its own end-of-year report, the Web has become a major channel of attack for cybercriminals, replacing their previous reliance on email systems. "By exploiting poorly secured legitimate websites, hackers have been able to implant malicious code onto them, which then attempts to infect every visitor," it says. This means that companies run a double risk: their users may go to apparently respectable websites and become infected; while at the same time they may be compromised (through SQL injection, for example) and then start infecting every innocent visitor that comes to the site.

Secure coding techniques and thorough penetration testing can reduce the chances of that happening, but those are only available to larger companies who can afford such luxuries. "The problem is that even if they know they are infected, some companies don't know how to clean themselves up, or are re-infected as soon as they clean themselves up within a matter of hours. Simply removing the malware from your database doesn't fix the vulnerability," says Graham Cluley, senior technology consultant with Sophos.

Writers of malware are also getting cleverer as the rewards get higher. Self-modifying code and obfuscated code are creating new challenges for the AV industry, which can no longer rely on signature recognition to block malware, and needs to apply a much broader range of checks.

Cluley also warns that companies will need to do much more thorough patching of software in the future. "It goes beyond just keeping your operating system patches up to date," he said. "You need to keep Adobe Acrobat up to date too, and Microsoft Word. One of our predictions for 2009 is that we are going to see more attacks exploiting non-operating system vulnerabilities, and we are already seeing it with PDF files."

As Cluley said, while many people now know the dangers of opening an attachment with a .EXE suffix, they will be less wary of a PDF or Word file. "If the hacker has exploited a vulnerability in Adobe Acrobat, the PDF file may open perfectly well, but in the background it is installing malware on to your computer," Cluley says. "It can be a good idea to update things like Adobe automatically, but in a company you might not want to do it that way."

Despite the growing outside threats, however, the biggest dangers still come from within the organisation, according to recent research carried out by research firm YouGov plc for the network security vendor Clavister Ab. The report, published in early December, was based on the views of 212 private sector IT directors and senior managers.

In the opinion of 86% of the sample, the most likely cause of an IT security incident came from a company's own employees. The reasons for this included staff ignoring, not being made aware of or not being sufficiently trained on security policies, as well as making mistakes or committing industrial espionage.

Tags: Secure Coding and Application Programming,  Threat and Vulnerability Management,  Endpoint and NAC Protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure Coding and Application Programming Adobe ColdFusion websites being compromised How to tackle buffer overflow vulnerabilities and attacks 2009 Royal Holloway University of London MSc thesis series Month of Twitter Bugs project to document Twitter flaws Mozilla patches 11 Firefox security flaws, JavaScript errors Adobe issues first quarterly patch release fixing 13 flaws Microsoft patches WebDAV security vulnerability in bevy of updates RSA council addresses growing security risks in the cloud Mac OS memory flaws pose challenges for enterprise endpoint protection IT pros can detect, prevent website vulnerabilities, thwart attacks Threat and Vulnerability Management How to defend against rogue DHCP server malware Web application firewall's value depends on effort you put in Firewall rule management best practices Cybercrime attacks, IT outsourcing, mobile malware top ISF threat list Buying botnets: Underground network marks ominous 'milestone' Gartner sees better days ahead for security budgets How to secure the Border Gateway Protocol Coping with top security in a world of deperimeterization Computer misuse cases: Get there before the bad guys IT overhaul results in cheaper, better endpoint security management Endpoint and NAC Protection How to defend against rogue DHCP server malware USB drive security project protects endpoints, aids CoCo compliance Buying botnets: Underground network marks ominous 'milestone' Symantec offers endpoint protection management, monitoring services Gartner sees better days ahead for security budgets Coping with top security in a world of deperimeterization IT overhaul results in cheaper, better endpoint security management Microsoft cracks down on click fraud ring IT pros find corporate firewall rules tough to navigate Understand the differences in network access control solutions

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary