The future of Malware | News from “PCadvisor.com”
Security breaches look set to bet worse as hacker groups target smartphones and social media and release more information online. Jeff Vance reports.
Personal information leaked online is becoming an all too common occurrence. For example, Sony suffered a massive breach of its PlayStation Network earlier this year that led to the theft of names, addresses and possibly credit-card data belonging to 77 million users.
If you think the situation is bad now, just wait. Things will get worse as more information is dumped online by mischievous hacker groups such as Anonymous, and cybercriminals begin to target smartphones and social media.
In August, AntiSec (a collaboration between Anonymous and the disbanded LulzSec group) released more than 10GB of information from 70 US law-enforcement agencies. According to Todd Feinman, CEO of DLP vendor Identity Finder, AntiSec wasn’t motivated by money.
“AntiSec doesn’t like how various law-enforcement agencies operate and it’s trying to embarrass and discredit them,” he said.
But, he added, what it doesn’t realize is that when it publishers sensitive persona information, it’s helping low-skilled cybercriminals commit identity theft. Every week, another government department or business has its records breached – some 250,000 to 500,000 each year, estimated Feinman. Few details from those breaches are published online for all to see, however.
While certain high-profile attacks, such as the one on Sony, are intended to embarrass and spark change, the US law-enforcement breach could represent a shift in hacker thinking. AntiSec’s motivations appear to have a key difference, with the attackers consciously considering collateral damage as a strategic weapon. According to Feinman, AntiSec wrote online; “We don’t care about collateral damage. It will happen, and so be it.”
Have you ever accepted a friend request on Facebook or connected to someone on Linkedin you don’t know? Perhaps you thought it was someone from school you’d forgotten about, or a former colleague whose name had slipped your mind. Not wanting to seem rude, you accepted them as a friend and quickly forgot about it. “When people make trust decisions with social networks, they don’t always understand the ramifications. Today, you are far more knowable by someone who doesn’t know you than ever,” said Kr Hugh Thompson, program chair of RSA Conferences.
We all know people who discuss everything they do on a social network or blog, from eating their breakfast to clipping their toenails. While most of us consider these people a nuisance and may hide their status updates, cybercriminals love them.
“Password-reset questions are easy to guess, and tolls such as Ancystry.com, while not created for this purpose, provided hackers with useful information,” said Thompson.
There are a few areas he believes the IT security industry needs to concentrate on: security for social media, ways to manage the information shared about you, and better methods for measuring evolving risks.
Fake security software is the most common type of social-engineering attack that researchers at Blue Coat Systems come across. Chirs Larsen, head of the lab, explained that social network’s aren’t being used only to target individuals.
Larsen outlined a recent attack attempt where hackers targeted executives of a major corporation through their spouses.
The chances were at least one of the businessmen would have a poorly secured home PC that he shared with his non-tech-savvy wife. This would provide the backdoor needed to gain access to the company.
“Whaling is definitely on the rise,” said Paul Wood, senior intelligence analyst for Symantec.cloud. “Just a couple years ago, we saw one or two of these sorts of attacks per day. Today, we catch as many as 80.”
According to Wood, social engineering is by far the most potent weapon in the cybercriminal’s toolbox (automated, widely available malware and hacking toolkits are number two). Combine that with the fact that many senior executives circumvent IT security because they want the latest and trendiest devices, and cybercriminals have many valuable, easy-to-hit targets in their sights.
“Attacks on small businesses are increasingly dramatic because they are usually the weakest link in a larger supply chain,” said Wood.
There’s no sure way to defend against this. Until companies start scrutinizing the cyber-security of their partners and suppliers, they can’t say with any certainty whether or not they themselves are secure. While it’s common for large firms to keep a close eye on their suppliers, with factory visits that result in the implementation of an array of ‘best practices’, companies aren’t doing this when it comes to cyber-security.
Smartphone threats are on the rise, but we’ve yet to see a major incident. This is partly due to platform fragmentation. Malware creators still get better results by targeting PCs or websites.
Larsen believes that platform-agnostic, web-based worms represent the new frontier of malware. Platform-agnostic malware lets legitimate developers do same of the heavy lifting for malware writers. As developers re-engineer sites and apps to work on a variety of devices, hackers can then target the HTML, XML, Jpegs and so on that render on any device anywhere.
Mobile phones are serving as a second identity factor for all sorts of corporate authentication schemes. Businesses that used to rely on hard tokens, such as RSA SSecureID, are moving to soft tokens, which can reside on mobile phones roaming beyond the corporation as easily as on PCs ensconced within corporate walls.
“Two-factor authentication originally emerged because people couldn’t trust computers. Using mobile phones as an identity factor defeats two-factor authentication,” said Marc Maiffret, CTO of eEye Digital Security.
Today, Android is the big smartphone target, but don’t be surprised if attackers soon turn their attention to the iPhone – especially if third-party antivirus programs become more or less standard on Android devices. iPhone demographics are appealing to attackers, and security experts will tell you that Apple products are notoriously insecure.
Apple is reluctant to provide third-party security entities with the kind of platform access they need to improve the security of iPhones, iPads, MacBook Airs and so on. “Apple is very much on its own with security,” said Maiffret. “It almost mirrors late-90s Microsoft, and it’ll probably take a major incident or two to incite change.”
If we’ve learned anything about security in the past 20 years, it’s that another major incident is always looming just over the horizon. With the number of IP-connected devices climbing to anywhere from 50 billion to a Trillian in the next five to 10 years, tomorrow’s hackers could target anything from home alarms and air traffic-control systems to flood control in dams.