2009: a year of incident, loss, malware and ultimately education

Opinion by Dan Raywood

Three weeks from today we will be celebrating New Year's Eve and preparing to welcome 2010 in.

Three weeks from today we will be celebrating New Year's Eve and preparing to welcome 2010 in.

However before we look forward it is equally important to look back over the past 12 months and get an idea of what we have achieved, accomplished and acquired. In the coming days we will look back at what made the headlines throughout 2009 and what we can expect to happen in 2010.

To start with a look back though, beginning with one of the biggest stories of the year – Conficker. The story officially began back in 2008, but the first mention on SC was in early January.

Gerhard Eschelbeck, chief technology officer at Webroot, said that this became such a sensation because it was targeted at enterprise networks, but also crossed over to individuals who could bring it home on a USB stick.

He said: “Conficker generated a lot of media discussion which drove confusion among consumers and concern among IT admins. Conficker renewed the public's focus on internet security, at a time when the threat landscape was growing more complex.”

Kevin Haley, a director in Symantec's security response group, commented that while Conficker created problems, it did create ‘cooperation among security vendors, law enforcement and internet service providers', especially with the Conficker Working Group, the FBI's ‘Operation Phish Phry' bust and the Digital Crimes Consortium, which had its inaugural gathering in October.

This was one piece of malware that dominated the headlines. Eschelbeck said that 2009 saw a changing internet user who is highly mobile and presenting a new set of attack vectors for malware authors.

He said: “We also saw increasingly sophisticated malware - cybercriminals using email to distribute malicious web links and manipulating search engine optimisation (SEO) by programming malicious links near the top of search results for popular news stories - and an explosion of social engineering tactics employing fake security alerts and rogue anti-virus products with new variants launched seemingly in real-time.”

Paul Wood, MessageLabs intelligence senior analyst at Symantec, claimed that when the McColo botnet went offline there was a drop in the volume of spam sent, and this level of spam was not restored until a few weeks later – when downtime would usually be a couple of days.

Wood said that in 2009 technology evolved to a new level, where botnets were sent off line, would not happen again as owners have really thought about disaster recovery.

Wood said: “The botnet has been a key trend and we have seen spamming botnets, there has been other ones trying to make an impression as have a large number of botnets at their disposal. These specific Trojans are mainly used as droppers.

“They are very flexible in terms of how they can be used and the application of genuine droppers can be used as you want for applications and these are then used to send other malware, so it may not be the bad guys having control of one botnet, they may have control of several. They are much more resilient than before and have learnt their lessons.”

On to another side of spam, the year saw several news stories including on the deaths of Michael Jackson, Patrick Swayze and the rumoured, but false passing of Kanye West. Wood said that this has been a big year in terms of events, ‘and the bad guys can utilise the trends and integrate into the spam'.

“Before the financial crisis was the major factor but as it is very much demonstrated with phishing emails, they have got a huge opportunity with spam potential,” said Wood.

“It has been a difficult year but with the numbers of events it is not something out of the norm, but with social networking so prevalent it is easy to look into the zeitgeist and find what tricks to use with the best return on the spam.”

The Cisco Annual Security Report for 2009 claimed that spam ‘is still a tried-and-true means for tricking people into downloading malware and persuading them to buy, for example, fake pharmaceuticals'.

Looking specifically at the ‘rise of banking Trojans' it noted that the Zeus and Clampi botnets have gained in size and strength in recent months, while a newer entry on the banking Trojan scene is URLZone, which exhibits new methods to shield itself from detection by computer users. This is able to alter the online bank statement to disguise the fact that an illegal transfer has occurred. Victims who check their bank accounts online only, instead of reading paper statements, would not realise their money had been stolen.

Scott Olechowski, Cisco threat research manager, said: “The sophistication built into Trojans like URLZone and Clampi points to an escalation in the race between user security technologies and attacker capabilities.

“Online criminals will continue to seek out low-cost efforts to bypass user protections, maximising their profit and the number of victims. If these sophisticated attacks continue to be adopted by malware creators, the security and financial industries must fight back with solutions that make such attacks cost-ineffective for the attackers.”

A major source for sending spam, as it became more web-based, was social networking sites, which also saw a huge rise in use and dilemma created by decisions around workplace use and resulting productivity and security issues.

Haley said: “2009 was the year attacks against both social networking sites themselves and the users of those sites became standard practice for criminals. The latter half of 2009 saw attacks utilising social networking sites increase in both frequency and sophistication. Such sites combine two factors that make for an ideal target for online criminal activity: a massive number of users and a high-level of trust among those users.”

In agreement was Dave Jevans, chairman of the anti-phishing working group and CEO of IronKey, who said that spam is now ‘much more targeted as you can get controls that hit a million people a day to distribute malware'.

He said: “Security is the role of social networking, and companies will have a hard time stopping it. Twitter is the next marketing vehicle and that stuff is out there and there is a risk and we always know it. Ebay has used generated content and they have people fighting against it all day so companies need to get to business levels and find control as the problem is not going away at all.”

Eschelbeck said: “Concerned about productivity and infection, enterprises struggled with corporate usage policies of social networks - media that is now ubiquitous, and also integral to communicating with and understanding customers. Meanwhile, consumers adopted social networks en masse, providing cybercriminals with a huge target for harvesting personal data via Koobface and various spam campaigns.”

Moving on to other areas that have seen major growth, the cloud was a huge buzzword throughout 2009, Eschelbeck said that while the definition of ‘cloud computing' and ‘in the cloud' held different meanings in 2009, enterprises continued to adopt security as a service for its easier, faster, more efficient and cost-effective distribution of security updates.

Cisco said that while ten years ago it would have been unthinkable for businesses to keep sensitive data outside the corporate firewall, today, with the advent of cloud computing and hosted applications, doing so is increasingly common. Many users are so trusting of cloud computing that they do minimal due diligence on who is hosting their sensitive data, and how secure the data is.

Commenting, Jevans said that he thought that ‘it was great, but the reality is that people are figuring out the security risk and it is significant'.

He said: “Companies are saying let me outsource and have not considered authentication, no one is offering strong authentication that is comparable to a company's requirements.”

An unfortunate fact was that data breaches continued to spiral, with reports continuing to appear throughout the year. Jevans said that he does not expect them to stop occurring any time soon as they increased in 2009.

Haley said that according to the Identity Theft Resource Center, as of the 13th October 2009, 403 data breaches have been reported for the year, exposing more than 220 million records.

Haley said: “Well-meaning insiders continue to represent the bulk of data loss incidents with 88 per cent of all data loss incidents caused by insiders like employees and partners, according to The Ponemon Institute.

“There are rising concerns, however, about malicious data loss, 59 per cent of ex-employees admitted that they took company data when they left their jobs, according to another study by Ponemon. While organisations are increasingly focused on preventing data loss, it's clear that more needs to be done to prevent sensitive information from leaving an organisation.”

Tony Dyhouse, director of the cyber security programme at the Digital Systems Knowledge Transfer Network, welcomed the requirement to report breaches, claiming that it was a ‘step in the right direction'.

He also welcomed the review of cyber security by the US government and the cyber security strategy in the UK, and also the work of the office of the Cyber Security Operations Centre.

Dyhouse said: “At last people are waking up. The bad news is the constant tranche of data security breaches, recently St Albans, sticks are going missing and indications are that the criminal fraternity understands the value of data and the potential for threatening behaviour.

“It is sad but it shows that people fail on solutions such as encryption, but people have forgotten the basics no matter how good their technology is, no one should be able to walk out of a company with a laptop.”

It is tricky to sum up 12 months of incidents in this article alone, but of all the comments and opinion I received there was a clear vein of hope that things will get better. Also the fact that people had woken up to security issues because of the threats and issues mentioned was seen as a major positive.

See the follow on story next week for prediction and a look forward to 2010.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events