Threats and trends: a year in security

31 Jan 2008

Gordon Smith takes soundings from the IT security sector about the likely source of attacks in 2008

January is a time for looking back at the year gone past and forward at the months to come. The IT security industry has duly followed that tradition with analysis of what came to pass in 2007, along with forecasts of what to expect in 2008.

Some have kept their predictions broad, whereas others have taken the riskier approach of identifying very specific targets where security threats could originate. Above all else, what is clear is that despite one more year’s worth of knowledge gained within the tech security sector and a raft of products and services to tighten IT defences, the nature and extent of threats hasn’t diminished. In its annual report, MessageLabs called 2007 “a year of storms, spam and socialising”.

If 2007 was the “year when botnets came of age,” then the prospects for the next 12 months should make for a difficult adolescence. Botnets are groups of compromised computers that can be used to send spam or other forms of malware. A new gang, allegedly responsible for the Storm Worm, emerged last year. “Its botnet of almost two million compromised computers was deemed one of the largest of its kind,” says MessageLabs’ report.

On the same theme, software firm CA’s 2008 Internet Security Outlook forecasts that the number of computers infected by botnets will increase sharply during this year. CA and MessageLabs both concluded that traditional botnets are evolving from a simple command-and-control structure to more devolved and discreet groups with greater agility and an increased number of functions, which are consequently much more difficult to disrupt.

The people controlling the bots are also changing their tactics to make themselves harder to detect, CA claims. “While security protection is becoming better at detecting malware, online thieves are getting smarter and stealthier in the way they attack our computers,” says John Power, senior solutions strategist with CA in Ireland.

AVG, the Czech antivirus firm, believes Storm is here for the long haul. “We’re seeing pieces of Storm sold off to the bad guys and we expect orchestrated attacks across multiple platforms,” says AVG chief technology officer, Karel Obluk.

Several industry observers agree that social networking sites will become more vulnerable as their popularity grows. “The large number of aggregated potential victims and relatively small concern for computer security make these sites a windfall for cyber-thieves,” is CA’s verdict.

Obluk expects larger-scale attacks to follow this year as malicious parties put the knowledge gained in 2007 to use. “The real danger is these attacks will begin to impact the growth of search engine and social networking use,” he warns. Among the top web exploits from last year, AVG identified the Facebook banner ads that were used to distribute adware-driven exploits last September. Two months later, MySpace was used to deliver drive-by exploits.

CA’s report earmarks another trend to watch in noting that events such as the US presidential election and the Beijing Olympics represent high-profile opportunities for attacks and corruption or data theft. Researchers at Websense were even more specific, predicting the possibility of large-scale denial-of-service (DoS) attacks on Olympic-related sites as political statements, in addition to fraud attempts through email and the web surrounding the games.

Websense also believes news or other sports sites could be attacked by people looking to install malicious code on end-users’ machines and steal personal or confidential business information.

Attacks like this have some precedent: last year the Miami Dolphins’ website succumbed to a drive-by downloading attack, timed to coincide with the team’s appearance in the Super Bowl. Using the web to make political statements has also been seen before, notably when Danish websites were defaced following the publication in a Copenhagen newspaper of a cartoon that offended Muslims.

The spam problem shows little sign of abating. According to CA, more than 90pc of email is unsolicited junk mail. Spammers have been improving their tactics and making their messages harder to identify and quarantine. Instead of just plain-text emails, attachments come in the form of images, PDFs, spreadsheets or videos that contain malware or link to malicious sites, the CA report shows.

With an eye on the business implications of security threats, software company Novell identifies three key areas where money will be spent this year: dealing with regulatory compliance, coping with insider threats and preventing identity theft.

“Technology that can automate and validate network activity to meet compliance requirements will grow in importance,” says Jim Ebzery, senior vice president for identity and security management at Novell.

He also believes companies will spend more on password protection and encryption technology to mitigate the risk of employees losing potentially sensitive documents. “Laptops, PDAs and USB drives often contain confidential work information and sensitive personal data – and because of their size and mobility, can be easily lost or stolen,” says Ebzery.

Many businesses will invest in more powerful user authentication technology to reduce the opportunities for ID theft, he adds. Ebzery makes no claims for originality in his predictions. “Meeting compliance, combating insider threats and preventing identity theft are not new security challenges, but these are issues that continue to persist,” he maintains.

There’s some good news amid the gloom: mobile phones appear to be safe – for now. Despite repeated reports of mobile malware, CA believes smartphones and other mobile devices won’t be a real opportunity for criminals this year. “Proof-of-concept malware for mobile devices has not yet translated into any meaningful attacks,” says the company’s report.

With threats from so many different sources, it’s tempting to conclude – as some security experts do – that the only secure computer is one that is unplugged.

Power says it’s just a matter of taking sensible steps to watch where we go online and what information we disclose. “Our attitude about protecting our internet privacy and the subsequent actions we take, whether at work or at play, can dramatically alter our online safety,” he concludes.

By Gordon Smith