Security Watch | Matt Hines » IT security in '08 not looking too great

December 21, 2007 | Comments: (0)

IT security in '08 not looking too great

TAGS: Security

I've been reading and writing about Web 2.0 malware attacks for some time -- the variety leveled at Web 2.0 content specifically, not so much at AJAX or other new programming techniques -- but I finally felt the crunch myself this morning.

Upon opening my in-box I found roughly 100 new e-mails asking for me to approve comments on this here Zero Day blog, and sadly, based on the fact that I only average a handful of responses from you my faithful readers each week, I knew that something strange was afoot.

Turns out that some attacker's automated malware threat finally found its way to this blog and attempted to post bunch of links to (what I'd suspect are) malware sites. Both the names of the e-mail addresses and the links themselves were clearly generated by machine, not hand, as they were constituted of strings of random letters and numbers.

If only my writing could garner as much interest on its own!

Anyway, the personal experience just backs up what we've been telling you here throughout 2007, that the attacks are only getting more widespread and sophisticated -- really nothing new in that sense since I started covering security roughly 4 years ago -- but clearly the stakes continue to rise.

And, according to Paul Henry, a longtime industry expert who currently wears the title of "vice president of technology evangelism" at security gateway maker Secure Computing, 2008 is shaping up to be even worse than any year in the past.

(Consider that according to McAfee, 2007 was by far the worst year ever for malware exploits, as the company's Avert Labs tracked an estimated 357,000 individual pieces of malware, a 60 percent increase over 2006. FTR, McAfee is predicting that we will see over 550,000 samples during 2008.)

There are several issues feeding into this trend of rising attack professionalism, sophistication and ubiquity that Henry outlined on a recent call where we discussed the fate of '08.

Among the most striking observations he made was that many security companies aren't helping the problem, but rather adding to it.

TippingPoint, for one, and many others, he said, are intensifying the issues created by exploit bidding sites like WabiSabiLabi -- where anyone willing to pay more than the next guy can buy newly-discovered and previously unreported software vulnerabilities.

These companies are doing so by purchasing unique exploits for themselves and creating "vaccines" to protect their customers, rather than reporting the flaws to the affected applications makers or detailing them in any public forums.

Now, most security vendors will tell you they do report the vulnerabilities to the apps makers, but Paul said that increasingly many are sitting on the details longer to give themselves some sort of perceived advantage.

Being the first to report and protect against a new attack isn't good enough anymore it would seem, and he claims that more companies than ever are sitting on their vulnerability information.

That includes Symantec and McAfee, he said, but those companies are being less flagrant and merely trying to compete with everyone else who is doing it.

Another alarming issue related to this trend is that in their vaccines, Henry contends that the vendors are not hiding the details of the new exploits very well. Thus, more hackers are getting their hands on these unprotected vulnerabilities by taking the information directly from these AV providers. Yipes.

"It's like the old protection schemes in the Fifties in New York where the shady insurance guy would show you a picture of your business on fire and ask you if you wanted to buy fire insurance," said Henry. "It borders on extortion, and I've been very surprised by the number of security companies doing it; people seem to be jumping on the bandwagon because they don't want to be at some sort of competitive disadvantage."

Henry contends that the open window on a lot of these threats is as long as 18 months.

Along with more automated Web 2.0 threats such as the one attacking the comments section of this here blog, the expert believes that we'll also see more advanced social engineering threats such as the CyberLover attack that I detailed here one week ago -- which poses as an available guy on singles site forums and tries to lure women into handing over their personal details or trick them into visiting malware sites.

He believes that we'll see more targeted attacks on businesses that attempt to use this level of sophisticated, human-like automation to trick people into handing over data about their companies or their network log-in credentials. Sweet.

Some of these programs, including CyberLover, appear to be emanating from our old friends the RBN, who Henry said (echoing many other experts) have moved their ops largely to China, possibly using an ISP/hosting company known as HostFresh, located in Hong Kong.

Among the other types of attacks he believes will come from this group and other professional-grade exploit providers in '08 are more cross site request forgery (CSRF) threats, which try to capture Web session and browser cookie data and use it to break into Webmail accounts and the like.

Recent samples the expert has observed included CSRF attack for sale that advertised the ability to get into Webmail domains controlled by all big players, including Google, Yahoo, MSN and Lycos.

Some of the CSRF threats involve "cookie sniffers" which grab available log-in information from people's browsers and send it back to a central database controlled by attackers. "Cookie replayers" are actively sitting on people's machines waiting to grab their credentials when they log into their accounts.

FTR, Henry thinks that political pressure in Russia may have led RBN to move its operations to China. If that's the case, it's good to hear that the Russian law enforcement types are finally turning up the heat.

At the same time that the malware world is getting so much more professional -- and those finding the vulnerabilities and building the threats are getting better at productizing their stuff and further separating themselves from those actually carrying out the attacks -- Henry points to overconfidence on the part of security professionals as another disturbing trend.

As highlighted in the E-Crime report put out by InfoWorld sister pub CSO Magazine, along with CERT and other government experts in September, many IT and security professionals seem to think that the defenses they already have in place, including AV, firewalls and intrusion prevention systems (IPS), are sufficient to stop most threats.

But, in fact, as according to the report and Henry, real experts don't think that's the case.

Combined with these other trends, 2008 could be pretty nasty.

"As the hacking community gets more professional and we see this overconfidence in security teams, it leads me to believe that 2008 could be pretty interesting," Henry said. "We're really in a rough spot, the most common defense methodology is the negative security model today, and hackers have proven that this is of no consequence to them."

On the flip side, if more people start considering a move to positive security models, such as the white listing techniques described in my recent story on Symantec researcher Carey Nachenberg, Henry thinks we may seem some progress in the not-too distant future.

"If you look at what people are using today, you can literally see where they're falling short; they're using simple packet filters for the firewall, and nothing to protect against Web 2.0 attacks, where the big push by the attackers is moving," he said. "The entire negative security model where traffic flows freely and you try to use signatures to block threats has failed, and hackers are blowing right through it using obfuscation. But, I think that a positive security model can work someday, where you configure your firewall to accept only the good traffic you define."

The only big question? How many more years it will be until the industry can make such an approach practical to emply on a widespread basis.

Happy Holidays!

Posted by Matt Hines on December 21, 2007 09:09 AM

RATE THIS ARTICLE: