Keeping IT Awake All Night

The SANS Institute???s Top 10 Menaces of 2008, developed by panel of security experts, predicts key threats in 2008. While some threats have been with us for some time, like Web-based attacks, spyware, and bot nets, and insider problems, the difference is in the sophistication of the attacks. Supply chain attacks -- malware that is installed on consumer devices like USB drives, memory sticks, and even photo frames, pose a new threat and could potentially become a factor, particularly in the consumer space. Supply chain attacks occur when products are shipped from a manufacturer or distribution site with some malware that will infect users' computers. SAN reported a few cases from this holiday season where photo frames containing malware fell into consumers hands. In the past, a ploy using Windows Auto-Run that executes programs on CD???s, DVD???s, and USB drives, has been used to infect users with malware by inducing them to insert a USB key, or launch a rootkit from a music CD. The broad distribution of mass market products and our trust in the sanctity of shrink-wrapped products makes supply chain attacks effective. One of the report authors, Mark Sachs, says, "There are some pretty lax quality controls in place for the no-name generic device manufacturers that supply U.S. companies that put their name on the product."

It's no surprise that the unsuspecting user is under attack, and due to the nature of Web sites being poorly programmed, attacks coming through rich media, the numerous dialog boxes asking to install some module or other, the ability of attackers to break into computers through a trusted Web site, and the sophistication of organized criminals to adapt their attacks to new technologies, converge into a rich landscape of attack methods open to criminals. It's one thing to be conned out of your life savings by trying to help a minister of some third-world country export millions of dollars from his country. It's another matter to visit a trusted Web site and have malware installed on your computer because the Web server has been compromised or the attack is coming through the Web site via cross-site scripting, uploaded rich media, and the like.

The malware is increasingly sophisticated bots that are under the command and control of nefarious individuals. Bots can be used for denial of service attacks and other harassment, but identity theft is a common use. Rather than connecting to a command server, the bot can quietly gather data like passwords, Web sites, and documents, and will eventually phone home with the data. Bots that are designed to hide and the inability of anti-malware to detect unknown programs make discovery and cleaning difficult.

The telephone in any form (landline, cell, VoIP), is such a staple that attacks are inevitable. Every year we see predictions about the increasing attacks on mobiles phones, but with the increased popularity of mobile devices like Apple???s iPhone, Palm and Windows Mobile phones, and the availability of high speed mobile broadband, phones become much more interesting targets. There are, of course, more difficulties in generating widespread infection of mobile devices, but a targeted attack is possible.

Finally, phishers are adapting to conditions. For years security experts have been telling users to not click on links in e-mails and perhaps that message is starting sink in. SANS predicts the use of VoIP to get users to reveal personal data. Rather than inducing a user to click on a link, the e-mail asks the user to call a toll free number that forwards that call via VoIP to an automated system that asks for personal information. It's a likely attack vector.There are no shortage of menaces in 2008, whether they're cutting-edge bots that can evade detection or the tried and true phishing scams. What is clear is attackers aren't sitting still and defenders still have a ways to go. If you provide an information service, take steps to protect your data and your users from malicious attacks. If you are a consumer of services, demand providers protect their systems. And remember, your phone, photo frame, or nifty USB key are as likely an attack vector as any.