Datum: 10 januari 2008.

Top 10 digitale dreigingen voor 2008

Beknopte Nederlandse vertaling:

Volgens het SANS Institute

1. komt de grootste computerdreiging dit jaar van websites die zwakheden in browsers en bijbehorende plugins (zoals Flash en QuickTime) proberen uit te buiten.
2. Op de tweede plaats verwacht SANS een geavanceerder inzet van botnets, in navolging van de Storm worm die vorig jaar de wereld wakker schudde.
3. Opvallend is de derde plaats op het lijstje: cyberspionage door grote organisaties of zelfs overheden. In 2007 was China al vaak in het nieuws vanwege vermeend spioneren. SANS verwacht op dit vlak meer activiteit van nog meer organisaties.
4. Ook het risico van aanvallen op mobiele telefoons en VoIP-systemen staan hoog op de lijst (vierde plek). Telefoons worden steeds geavanceerder, hebben vaak een compleet besturingssysteem en worden daardoor steeds kwetsbaarder.
5. Een oude bekende staat op de vijfde plek: de gebruikers/werknemers zelf blijven een zwakke schakel in de beveiliging van (bedrijfs)gegevens. SANS raadt bedrijven onder meer aan om de toegang tot systemen strikt te beperken tot wat de gebruiker nodig heeft om zijn werk goed te kunnen doen.
6. Op de zesde plaats staat het risico van bots die pc's drie tot vijf maanden inspecteren om gegevens als wachtwoorden, e-mailadressen, bankgegevens, surfgeschiedenis en dergelijke te verzamelen.
7. Op de zevende plaats staat het kwaadaardiger worden van spyware. De software zal volgens SANS ook steeds beter worden in het identificeren en uitschakelen van antimalwareprogramma's, waardoor het een stuk lastiger wordt om spyware van een pc te verwijderen.
8. In de lagere regionen van het lijstje vinden we nog het uitbuiten van kwetsbaarheden in webapplicaties (achtste plaats),
9. ‘social engineering' (het ‘inschakelen' van de gebruikers van systemen om toegang te krijgen tot die systemen, bijvoorbeeld door phishing) op de negende plaats,
10. en op de tiende plaats het verspreiden van malware via consumentenproducten als usb-sticks, fotolijstjes en gps-systemen

Volledig artikel:

Top Ten Cyber Security Menaces for 2008

Twelve cyber security veterans, with significant knowledge about emerging attack patterns, worked together to compile a list of the attacks most likely to cause substantial damage during 2008.

Participants included Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller.

Here's their consensus list in ranked order:

1. Increasingly sophisticated web site attacks that exploit browser vulnerabilities - especially on trusted web sites

Web site attacks on browsers are increasingly targeting components, such as Flash and QuickTime, that are not automatically patched when the browser is patched. At the same time, web site attacks have migrated from simple ones based one or two exploits posted on a web site to more sophisticated attacks based on scripts that cycle through multiple exploits to even more sophisticated attacks that increasingly utilize packaged modules that can effectively disguise their payloads.
One of the latest such modules, mpack, produces a claimed 10-25% success rate in exploiting browsers that visit sites infected with the module.
While all this is happening, attackers are actively placing exploit code on popular, trusted web sites where users have an expectation of effective security. Placing better attack tools on trusted sites is giving attackers a huge advantage over the unwary public.

2. Increasing sophistication and effectiveness in botnets

The so-called Storm worm (which was not really a worm at all) started spreading in January, 2007 with an email saying, "230 dead as storm batters Europe," and was followed by subsequent variants. Within a week it accounted for one out of every twelve infections on the Internet, installing rootkits and making each infected system a member of a new type of botnet. Previous botnets used centralized command and control; the Storm worm uses peer-to-peer control, so there is no central controller to take down. Additional variants have used messages with different subjects and improved the capabilities of the rootkit. In 2008 additional variants and continually increasing sophistication will keep this worm and other even more sophisticated worms near the top of any list of menaces.

3. Cyber espionage efforts by well resourced organizations looking to extract large amounts of data - particularly using targeted phishing

One of the biggest security stories of 2007 was disclosure in Congressional hearings and by senior DoD officials of massive penetration of federal agencies and defense contractors and theft of terabytes of data by the Chinese and other nation states. In 2008, despite intense scrutiny, these nation-state attacks will expand; more targets and increased sophistication will mean many successes for attackers. Economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals. The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source, and using newly discovered Microsoft Office vulnerabilities and hiding techniques to circumvent virus checking.

4. Mobile phone threats, especially against iPhones and android-based phones; plus VOIP

Mobile phones are general purpose computers, so worms, viruses, and other malware will increasingly target them. Google's recent announcement of "android" and the formation of the "open handset alliance" is a watershed moment for the mobile industry. A truly open mobile platform will usher in completely unforeseen security nightmares. The developer toolkits provide easy access for hackers. And hackers are taking note. The author of Metasploit, H.D. Moore, plans a mobile payload presentation webcast this month.
Attacks on VoIP systems are on the horizon and may surge in 2008. VoIP phones and the IP PBXs have had numerous published vulnerabilities. Attack tools exploiting these vulnerabilities have been written and are available on the Internet. In short, the VoIP attack surface is enormous.

5. Insider attacks

Insider attacks are initiated by rogue employees, consultants and/or contractors of an organization. Insider-related risk has long been exacerbated by the fact that insiders usually have been granted some degree of physical and logical access to systems, databases, and networks that they attack, giving them a significant head start in attacks that they launch. More recently, however, security perimeters have broken down, something that allows insiders to attack both from the inside and from outside an organization's network boundaries. Insider-related risk (as well as outsider risk) has thus skyrocketed. Organizations need to put into place substantial defenses against this kind of risk, one of the most basic of which is limiting access according to what users need to do their jobs.

6. Advanced identity theft from persistent bots

A new generation of identity theft is being powered by bots that stay on machines for three to five months collecting passwords, bank account information, surfing history, frequently used email addresses, and more. They'll gather enough data to enable extortion attempts (against people who surf child porn sites, for example) and advanced identify theft attempts where criminals have enough data to pass basic security checks.

7. Increasingly malicious spyware

Criminal and nation-state attackers continue to refine the capabilities of their malicious code, expanding on flux techniques to obscure their infrastructure, making it even harder to locate their servers. Additionally, the recent Storm variants' capabilities of being able to detect investigators' activity and then respond with a flooding attack against the investigators will become more mainstream and even more powerful, protecting the attackers and making investigation more difficult. Tools will also increasingly target and dodge anti-virus, anti-spyware, and anti-rootkit tools to help preserve the attacker's control of a victim machine for as long as possible. In short, malware will become stickier on target machines and more difficult to shut down.

8. Web application security exploits

Large percentages of web sites have cross site scripting, SQL injection, and other vulnerabilities resulting from programming errors. Until 2007 few criminals attacked these vulnerable sites because other attack vectors were more likely to lead to an advantage in unauthorized economic or information access. Increasingly, however, advances in XSS and other attacks have demonstrated that criminals looking for financial gain can exploit vulnerabilities resulting from web programming errors as new ways of penetrating important organizations. Web 2.0 applications are vulnerable because user-supplied data cannot be trusted; your script running in the users' browser still constitutes "user supplied data." In 2008, web 2.0 vulnerabilities will be added to more traditional programming flaws and web application attacks will grow substantially.

9. Increasingly sophisticated social engineering including blending phishing with VOIP and event phishing

Blended approaches will amplify the impact of many more common attacks. For example, the success of phishing is being radically increased by first stealing IDs of users of other technologies. Salesforce.com users were targeted for an "FTC complaint" phishing email. Monster.com users were targeted for a job offer phishing email. Even if it is non-targeted, event phishing is gaining in sophistication. Tax filing scams and scams based on the U.S. Presidential elections will be widely used this year, and many of them will succeed. A note with the subject "Hillary drops out of the race" or "Rudy and female staffer caught on film" could generate huge new botnets of people who are interested in politics, but may not have patched their systems fully. Add to those opportunities potential bogus fund raising sites and even political dirty tricks going digital, and you'll have an explosive junction of hacking and politics.
A second area of blended phishing combines email and VoIP. An inbound email, apparently being sent by a credit card company, asks recipients to "re-authorize" their credit cards by calling a 1-800 number. The number leads them (via VoIP) to an automated system in a foreign country that, quite convincingly, asks that they key in their credit card number, CVV, and expiration date.

10. Supply chain attacks infecting consumer devices (USB thumb drives, GPS systems, photo frames, etc.) distributed by trusted organizations

Retail outlets are increasingly becoming unwitting distributors of malware. Devices with USB connections and the CDs packaged with those devices sometimes contain malware that infect victims' computers and connect them into botnets. Even more targeted attacks using the same technique are starting to hit conference attendees who are given USB thumb drives and CDs that supposedly contain just the conference papers, but increasingly also contain malicious software.

Bron: System, Audit, Network, Security Institute (http://www.sans.org)