Top 10 digitale dreigingen 2008 |
||
Datum: 10 januari 2008. Top 10 digitale dreigingen voor 2008 Beknopte Nederlandse vertaling: Volgens het SANS Institute
Volledig artikel: Top Ten Cyber Security Menaces for 2008 Twelve cyber security veterans, with significant knowledge about emerging attack patterns, worked together to compile a list of the attacks most likely to cause substantial damage during 2008. Participants included Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller. Here's their consensus list in ranked order:
Web site attacks on browsers are increasingly targeting components, such as Flash and QuickTime, that are not automatically patched when the browser is patched. At the same time, web site attacks have migrated from simple ones based one or two exploits posted on a web site to more sophisticated attacks based on scripts that cycle through multiple exploits to even more sophisticated attacks that increasingly utilize packaged modules that can effectively disguise their payloads.
The so-called Storm worm (which was not really a worm at all) started spreading in January, 2007 with an email saying, "230 dead as storm batters Europe," and was followed by subsequent variants. Within a week it accounted for one out of every twelve infections on the Internet, installing rootkits and making each infected system a member of a new type of botnet. Previous botnets used centralized command and control; the Storm worm uses peer-to-peer control, so there is no central controller to take down. Additional variants have used messages with different subjects and improved the capabilities of the rootkit. In 2008 additional variants and continually increasing sophistication will keep this worm and other even more sophisticated worms near the top of any list of menaces.
One of the biggest security stories of 2007 was disclosure in Congressional hearings and by senior DoD officials of massive penetration of federal agencies and defense contractors and theft of terabytes of data by the Chinese and other nation states. In 2008, despite intense scrutiny, these nation-state attacks will expand; more targets and increased sophistication will mean many successes for attackers. Economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals. The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source, and using newly discovered Microsoft Office vulnerabilities and hiding techniques to circumvent virus checking.
Mobile phones are general purpose computers, so worms, viruses, and other malware will increasingly target them. Google's recent announcement of "android" and the formation of the "open handset alliance" is a watershed moment for the mobile industry. A truly open mobile platform will usher in completely unforeseen security nightmares. The developer toolkits provide easy access for hackers. And hackers are taking note. The author of Metasploit, H.D. Moore, plans a mobile payload presentation webcast this month.
Insider attacks are initiated by rogue employees, consultants and/or contractors of an organization. Insider-related risk has long been exacerbated by the fact that insiders usually have been granted some degree of physical and logical access to systems, databases, and networks that they attack, giving them a significant head start in attacks that they launch. More recently, however, security perimeters have broken down, something that allows insiders to attack both from the inside and from outside an organization's network boundaries. Insider-related risk (as well as outsider risk) has thus skyrocketed. Organizations need to put into place substantial defenses against this kind of risk, one of the most basic of which is limiting access according to what users need to do their jobs.
A new generation of identity theft is being powered by bots that stay on machines for three to five months collecting passwords, bank account information, surfing history, frequently used email addresses, and more. They'll gather enough data to enable extortion attempts (against people who surf child porn sites, for example) and advanced identify theft attempts where criminals have enough data to pass basic security checks.
Criminal and nation-state attackers continue to refine the capabilities of their malicious code, expanding on flux techniques to obscure their infrastructure, making it even harder to locate their servers. Additionally, the recent Storm variants' capabilities of being able to detect investigators' activity and then respond with a flooding attack against the investigators will become more mainstream and even more powerful, protecting the attackers and making investigation more difficult. Tools will also increasingly target and dodge anti-virus, anti-spyware, and anti-rootkit tools to help preserve the attacker's control of a victim machine for as long as possible. In short, malware will become stickier on target machines and more difficult to shut down.
Large percentages of web sites have cross site scripting, SQL injection, and other vulnerabilities resulting from programming errors. Until 2007 few criminals attacked these vulnerable sites because other attack vectors were more likely to lead to an advantage in unauthorized economic or information access. Increasingly, however, advances in XSS and other attacks have demonstrated that criminals looking for financial gain can exploit vulnerabilities resulting from web programming errors as new ways of penetrating important organizations. Web 2.0 applications are vulnerable because user-supplied data cannot be trusted; your script running in the users' browser still constitutes "user supplied data." In 2008, web 2.0 vulnerabilities will be added to more traditional programming flaws and web application attacks will grow substantially.
Blended approaches will amplify the impact of many more common attacks. For example, the success of phishing is being radically increased by first stealing IDs of users of other technologies. Salesforce.com users were targeted for an "FTC complaint" phishing email. Monster.com users were targeted for a job offer phishing email. Even if it is non-targeted, event phishing is gaining in sophistication. Tax filing scams and scams based on the U.S. Presidential elections will be widely used this year, and many of them will succeed. A note with the subject "Hillary drops out of the race" or "Rudy and female staffer caught on film" could generate huge new botnets of people who are interested in politics, but may not have patched their systems fully. Add to those opportunities potential bogus fund raising sites and even political dirty tricks going digital, and you'll have an explosive junction of hacking and politics.
Retail outlets are increasingly becoming unwitting distributors of malware. Devices with USB connections and the CDs packaged with those devices sometimes contain malware that infect victims' computers and connect them into botnets. Even more targeted attacks using the same technique are starting to hit conference attendees who are given USB thumb drives and CDs that supposedly contain just the conference papers, but increasingly also contain malicious software.
Bron: System, Audit, Network, Security Institute (http://www.sans.org) |