Cybercrime reports: Security not broken, but breaking at the seams

By Ron Condon, U.K. Bureau Chief 31 Dec 2008 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

The article then went on to cite some mind-blowing statistics to substantiate the claim. For instance, according to the Georgia Tech Information Security Center, 15% of all PCs connected to the Internet have been turned into spambots, unwittingly spreading spam and malware to other users. With the world population of Internet users estimated to be nearing 1.5 billion, botnets consisting of several hundred thousand machines are becoming the norm.

This is hardly surprising. The Internet is used mostly by people who have little or no concept of the threats, and who will happily respond to 419 scams, phishing emails and unsolicited messages. They are easy prey for those who want to hijack their machines.

Driving botnets and malware is a growing criminal industry that thrives on a powerful combination of maximum opportunity and near-zero chance of detection and punishment. The Organization for Security and Co-operation in Europe (OSCE) suggests conservatively that the underground economy of credit card thefts, bank fraud and other scams robs computer users of an estimated $100 billion a year.

But does all this matter to the U.K. security professional whose job it is to guard the information and systems of his or her organisation? The Internet may be a dangerous place for the poorly trained and unwary, but when it comes to defending our own systems, is the situation really out of control?

Even the most optimistic voices in the security industry admit the situation is getting more difficult. The rise of the large-scale botnet, for instance, makes it hard for traditional defence mechanisms to operate. When spam and malware are being fired not from a single source, but from a vast, constantly changing army of machines, it becomes futile to try and block specific IP addresses.

Furthermore, as MessageLabs Inc. points out in its end-of-year report, "In 2008, spammers developed an affinity for spamming from large, reputable Web-based email and application services by defeating CAPTCHA techniques to generate massive numbers of personal accounts from these services. In January, 6.5% of spam originated from these hosted webmail accounts, peaking in September when 25% of spam originated from these sources, averaging about 12% for the remainder of the year."

CAPTCHA covers those techniques that webmail and social networking sites use to prevent automatic creation of accounts, usually sending a picture of a word or phrase for the user to enter in order to prove their credentials. But as MessageLabs has shown, the hackers have found ways around CAPTCHA, either by employing low-paid workers to register accounts, or developing software to crack the CAPTCHA codes.

Systems that work by blocking access to known URLs are similarly challenged. Security firm Sophos Plc said it discovers a newly infected Web page every 4 seconds. So any defence mechanism that works on a daily refresh of its database of dodgy websites is going to be hopelessly out of date. Many of the guilty websites will have been created and then taken down again before they are logged on the blacklist.

More worryingly, as Sophos points out in its own end-of-year report, the Web has become a major channel of attack for cybercriminals, replacing their previous reliance on email systems. "By exploiting poorly secured legitimate websites, hackers have been able to implant malicious code onto them, which then attempts to infect every visitor," it says. This means that companies run a double risk: their users may go to apparently respectable websites and become infected; while at the same time they may be compromised (through SQL injection, for example) and then start infecting every innocent visitor that comes to the site.

Secure coding techniques and thorough penetration testing can reduce the chances of that happening, but those are only available to larger companies who can afford such luxuries. "The problem is that even if they know they are infected, some companies don't know how to clean themselves up, or are re-infected as soon as they clean themselves up within a matter of hours. Simply removing the malware from your database doesn't fix the vulnerability," says Graham Cluley, senior technology consultant with Sophos.

Writers of malware are also getting cleverer as the rewards get higher. Self-modifying code and obfuscated code are creating new challenges for the AV industry, which can no longer rely on signature recognition to block malware, and needs to apply a much broader range of checks.

Cluley also warns that companies will need to do much more thorough patching of software in the future. "It goes beyond just keeping your operating system patches up to date," he said. "You need to keep Adobe Acrobat up to date too, and Microsoft Word. One of our predictions for 2009 is that we are going to see more attacks exploiting non-operating system vulnerabilities, and we are already seeing it with PDF files."

As Cluley said, while many people now know the dangers of opening an attachment with a .EXE suffix, they will be less wary of a PDF or Word file. "If the hacker has exploited a vulnerability in Adobe Acrobat, the PDF file may open perfectly well, but in the background it is installing malware on to your computer," Cluley says. "It can be a good idea to update things like Adobe automatically, but in a company you might not want to do it that way."

Despite the growing outside threats, however, the biggest dangers still come from within the organisation, according to recent research carried out by research firm YouGov plc for the network security vendor Clavister Ab. The report, published in early December, was based on the views of 212 private sector IT directors and senior managers.

In the opinion of 86% of the sample, the most likely cause of an IT security incident came from a company's own employees. The reasons for this included staff ignoring, not being made aware of or not being sufficiently trained on security policies, as well as making mistakes or committing industrial espionage.

Tags: Secure Coding and Application Programming,  Threat and Vulnerability Management,  Endpoint and NAC Protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure Coding and Application Programming Open source software security tops commercial apps, study finds Improving software with the Building Security in Maturity Model (BSIMM) How to prevent Adobe hacks from affecting your organisation SANS Institute, MITRE release new top 25 dangerous coding errors list Code complexity analysis: How to keep it simple Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks H.D. Moore speaks about Metasploit Project deal, Release 3.3 Threat and Vulnerability Management Zeus botnet temporarily disrupted, but back in full force Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 Endpoint and NAC Protection How to prevent iPhone spying: mobile phone management tips Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features USB drive security best practices and processes First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary