With so much money being moved online these days, cybercriminals are getting greedy - and smarter. Mark Mayne asks the experts for advice.
Willie Sutton was once asked why he had robbed so many banks. He replied: “Because that's where the money is.” Undeniable logic, and a reflection of the role of online security as well as offline banks. As more users and companies use the web for commerce, the increased financial throughput allows more scope for criminal activity.
We look at the some of the current issues and ask ten security experts where they see the world going, what the threat landscape looks like now, and what worries them most about the future.
Jon Callas is the principal author of the Internet Engineering Task Force's OpenPGP encryption standard. Having worked for Network Associates and Apple Computer, he is now CTO of US-based PGP Corporation.
“[The rise in internet crime over the past two years] is not just down to bored graduate students trying to be clever, it's now financially motivated professional criminals who are turning their hand to the online environment.
“Hackers and viral threats are also becoming far more targeted. We are seeing the rise of tailored Trojans aimed at customers of specific banks, dubbed spear phishing attacks. Consequently, we are witnessing increasing awareness of the value of an individual's identity, with the adoption of US-style laws aimed at protecting ID by requiring encryption of customer details.
“However, encryption doesn't solve every problem. Encrypted data merely shows an expert where to look for information, there will always be indicators of what the data was, where it came from and where it went. Back-up systems often save files in the clear, for example. Bear in mind, too, that hackers in other countries may have the manpower and time to crack many commercial systems through persistent brute force.
“The way forward? Security technology will have to be built more flexibly in order to be able to counter several threats at once. At the same time, user interfaces will need to be made simpler to accommodate more information presentation – coloured surrounds for safe and non-safe, for example.
Business processes will need to be changed too, just as credit-card companies will have to stop using the current insurance model, and switch to a more responsible one.”
Raimund Genes has been with Trend Micro for ten years. He is currently CTO, based in Germany and tasked with threat response.
“It's very noticeable that we aren't seeing the really large-scale outbreaks we used to, such as the Love Bug and Kournikova viruses – the last was Sasser, in 2004. This is giving a false sense of security to web users. The absence of new viruses is not entirely due to better security, it's mainly because the bad guys are writing malware for cash. We are really seeing a golden age of criminal invention now. If we in the security industry are not careful, people will lose the trust they have in the internet at present – which would be disastrous.
“Botnets are and will continue to be a growth area. They can generate huge revenues from multiple sources, such as distributed denial-of-service attacks, spoofing pay-per-click advert links on Google and installing adware/malware, require little hands-on maintenance and are almost impossible to stop at the moment. We are tracking enormous numbers of bots, but cannot do much to close them down. Internet service providers are not yet interested. MS Vista will help slow the infection of home PCs, but Vista malware will soon be available, I'm sure…”
Greg Day is a security analyst at McAfee, where he runs the the company's Live Virus workshop programme. He originally started work on Dr Solomon's 15 years ago.
“One thing we've certainly seen [in internet crime] recently is the move towards hitting smaller businesses, and even individuals, for smaller gains, rather than going after the big score.
“Also, the hackers have got a lot quieter. This is because in malware terms, the longer they are on your PC, the more cash they make – time literally is money. Bots are hardly new, but in January 2005, 750,000 PCs were infected, that has now grown to between 10 and 12 million. Last year was also the first time that cybercrime made more money than drug crime.”
“The future? Bluetooth-initiated premium SMS attacks on smartphones will be seen soon, as they're such a tempting target. Multiple authentication for banks will become commonplace, and international co-operation to combat cybercrime will have to improve still further.”
Dr Andy Jones leads the research group on security at the BT Group Chief Technology Office. He was previously principal lecturer at the University of Glamorgan in Wales, where he created a computer forensics research laboratory.
“The trouble is that criminals have realised how deniable online crime is, and how low the probability is of getting caught – unless you hack a US defence system.
“The UK is now the botnet capital of the world, but most home users just don't know or care – their PC still works. If you leave a PC on broadband all the time, chances are you no longer own it. Once the bots are on, it's a tricky situation. We know where they are from traffic monitoring, but what should we do? Deny access? Internet service providers won't make many friends that way, and there are, of course, contractual obligations to be met; it's a very tight balance.
“Social engineering is the biggest winner for the bad guys though, online and offline – there's always a way in. For example, USB seeding, where trojan-infected USB drives are dropped near your target offices; someone's guaranteed to plug one in.
“I expect to see more social engineering in future, because it works, along with growth in VoIP spam and messenger viruses, to say nothing of Bluetooth exploits.”
Alex Shipp works as senior anti-virus technologist at MessageLabs, the architect and lead programmer for MessageLabs' email security system and multi-patented virus scanner.
“The most worrying trend is the rise in spear phishing attacks – up from two per week last year to one a day this year. These are very low-volume attacks – under ten emails – but they are very well researched.
“One in particular was sent to some of our aerospace clients recently, and only installed itself on a target PC if it detected computer-aided design software – thus only infecting the research and development department. The bad guys are also using compression and encryption technology more regularly, which is a serious concern.
“One thing that's certain is that the bad guys haven't run out of ideas yet. In order to fight back, I think we'll need malicious traffic detection technology built into the internet. Users shouldn't be expected to protect themselves, that should be left to the experts.
“Internet service providers are gradually moving towards this way of thinking. After all, five years ago, getting anti-viral software from your ISP was a joke, but now most people take this route.”
The vulnerability conundrum
Security professionals and software -developers frequently disagree on how quickly software vulnerabilities should be disclosed. Should the public be told as soon as they are found, or should patches be developed before the flaws are brought to everyone's attention?
Greg Day, security analyst at McAfee, believes people should be informed. “There are other steps companies can take to mitigate vulnerabilities, as long as you know what to look for,” he says. “There is a business risk here that needs to be weighed carefully and understood.
“I agree that if nobody else knows about the vulnerability, fine, keep quiet, but this is rarely the case. There is an increasing drive to assess the business case of security: do the solutions incur bigger costs than the problem? Half of all businesses have no idea how much installing patches costs them. This needs to be organised, assessed and the costs need to be understood.”
Dr Andy Jones, research group leader at BT Group's chief technology office, can see the attraction of keeping quiet: “I'm tempted to say that the best solution is to say nothing until absolutely necessary. I understand the argument that if publicised, hackers take the information, develop an attack based on it, thus increasing the number of successful hits.
“That said, in the open source community, the more people aware of the vulnerability, the greater the pool of people working to fix it. Corporations certainly need time to test the patches and apply them, but then many attacks exploit years-old holes that companies just haven't got round to patching. Not all lab information should be released into the public domain, for sure.”
Alex Shipp, who works as a senior anti-virus technologist at MessageLabs, wants to get to grips with the latest data, hot off the presses. “We want the information as soon as possible, but I can understand some companies not liking to release it. As long as we know about it, we can track it and monitor where, when, how and who is carrying out any attacks.”
Gunter Ollman, director of X-Force at ISS, takes a different line: “Vulnerabilities are best kept quiet until the last minute. It takes time to develop a patch, and enterprises can't just roll them out, they need to run a test cycle. It's getting harder though, as vulnerabilities mount year-on-year, and tools to detect them improve. Reverse-engineering the latest patch release is also increasingly popular, especially after Microsoft recently patched three vulnerabilities with one release, but only publicly disclosed one.”
In addition to his role as senior security analyst at US-based TippingPoint, Rohit Dhamankar authors the weekly SANS Institute's @RISK newsletter. Prior to joining TippingPoint, he worked for Cisco Systems.
“The biggest trend I am seeing is the growth in attacks on the client side – home PC's – as opposed to attacks on business servers. Attacks are often either through the browser (especially in the last six months) or come via emailed file formats users would normally consider trustworthy, such as ppt, doc or jpg, rather than exe. As users migrate away from Internet Explorer on Windows towards ‘safer' Macs, so we are seeing more proof-of-concept malicious code for Safari.
“As an industry, we need to speed up the patching cycle. At present it still takes many days even after release, which is way too slow. Also, the growing prevalence of unmetered, unsecured ADSL is making things harder, too: hackers can now move far more rapidly than before. Internet service providers should be forced to regulate and scan their traffic more effectively.”
Graham Cluley, senior technology consultant at Sophos, developed the first Windows version of Dr Solomon's anti-virus toolkit in 1992.
“The creativity has gone now. There used to be viruses that brought up skull and crossbones or ambulances on your screen, now it's much quieter, with 80 per cent of new threats being Trojans, rather than viruses or worms. It would be a mistake to say the virus is dead though – you can't patch people clicking on an attachment. A disturbing development is the recent spate of ransom-ware attacks, where files are encrypted and a key has to be bought. The worst of these we've seen was one where a file would be deleted every ten minutes – it's like shooting hostages.
“The trouble with the adware market, a major funding source for botnets, is that perfectly legitimate companies sometimes find their products being sold by dubious means due to outsourcing. It's very hard to pin down responsibility then in such cases. I think the future will be less about blocking bad stuff, more about authorising good stuff, certainly in the business world.”
Microsoft BlueHat Conference
The world's most widely used desktop software vendor, Microsoft, has increasingly been addressing the concerns of security-conscious customers. Aside from flagship security changes in the new Vista operating system, the company has also embarked on the process of meeting the “other side” in person, through the BlueHat conference programme. The name is a reference to the annual Black Hat conference held in Las Vegas.
The second BlueHat Conference, in 2005, saw a group of security researchers invited to Microsoft's Redmond campus to demonstrate their modus operandi and discuss vulnerabilities with top management. More than 1,000 Microsoft developers, managers and security experts attended, including Jim Allchin and Kevin Johnson, co-presidents of the company's platforms and services division.
The software developers were in for a shock as various issues were raised, some being serious zero-day vulnerabilities. One group of hackers spoofed a wireless network to demonstrate how a laptop running properly patched and updated Windows XP SP2 could be coerced into joining a malicious network.
“There was a moment where everything just stopped,” Stephen Toulouse, a program manager in Microsoft's security unit, told journalists after the wireless network presentation.
“You've got guys in the audience who wrote that code ... Some of the things developers coming out of the talks were saying were great ideas to change the way products are developed to make sure this won't happen again.”
The latest BlueHat conference was held in March this year, and included talks about database rootkits, hacking search engines, breaking into databases and the latest version of vulnerability-testing tool Metasploit.
Microsoft says it will use the information to educate developers and update its secure development lifecycle (SDL) architecture. However, sceptics claim the event is aimed more at wooing influential security professionals who will be making the choice between reporting security flaws discreetly or going public with them.
The next meeting is scheduled for later this year.
Mikko Hypponen, chief research officer at the F-Secure Corporation, has been analysing viruses since 1991. He has consulted with organisations including IBM, Microsoft, FBI, US Secret Service, Interpol and Scotland Yard.
“There is some good news: law enforcement has got much better, with international co-operation becoming commonplace, and much better information sharing.
“Internet service providers are getting better, too. I spent two weeks trying to get Geocities to take down a malicious site two years ago, now it would take less than an hour. However, short of global laws, which are very unlikely to become a reality in my lifetime, there is still a lot of work to do. ISPs have a big problem, in that they should and could, technically speaking stop this traffic, but it is much easier to just ignore the problem.
“There is a lot of talk that some spear phishing exploits and rootkit use is down to industrial espionage. IP addresses often point to China, but I think that is a far too obvious conclusion. People talk of ‘state sponsored' attacks, but again I think this is way too simplistic to be very accurate.
“Businesses need to be more intelligent, both in the technology they employ and in their use of resources. Intelligent network tracking will solve many ills, but you need an accurate baseline of ‘normal‘ activity to work from – many companies have no idea what this would look like.”
Gunter Ollmann is the director of X-Force at Internet Security Systems (ISS). He has worked in IT for 18 years, and advises the UK's National High Tech Crime Unit.
“Hacking tools are getting very powerful, and the resources for them more complex. Commercial companies are offering big money for exploit code before it is published, while tools such as Metasploit are updated within hours of publication of the latest exploit information. We have seen bot networks that can update automatically with the latest exploits, too, even using third-party updates. Some cover up infection by patching the vulnerability they exploited to gain entry, making them very hard to spot.
“I think the growing use of encryption is the most worrying technical trend. Many legitimate applications now encrypt their traffic, and it makes it much harder to spot malicious traffic. Although less than 10 per cent of bots use it at the moment, by 2008 at least 50 per cent will do so. We will also be seeing a lot more use of scripting languages for drive-by browser attacks. Sandboxing may stop these, but it requires a huge amount of processing power.”
Cybertrust's chief technology officer Dr Peter Tippett advised the joint chiefs of staff on cyber warfare during Desert Storm and produced the original version of what later became Norton Anti-Virus software.
“Hackers now have such a range of tools to use, it's amazing: master toolkits to produce whatever worm, trojan or bot you wish. It's all just a case of bolting together parts – encryption, multi-control channels, obfuscation – it's all there in easy-assembly kits.
“Very little of this is new technology, but with a few tweaks a hacker can produce a ‘new' trojan or bot in minutes. We can now see the criminal element on the web has built something just as robust as the internet, but for use by miscreants.
“I believe we'll see more trading of resources between hackers, as they become more specialised in their sectors. This has always been the case to some extent, but it will take place on a much bigger scale soon. ID theft will also increase and become more sophisticated – many street criminals still don't know the worth of a laptop full of customer data – but soon they will.
To combat this threat, we need to focus on smart security. For example, a router, even a wireless one, can be configured to ‘default deny' outbound traffic. This costs nothing to do, but makes exploiting the connection much harder. Only two per cent of users actually do this, even though it makes you 80 per cent more secure. We need to assess costs of counter-measures more effectively and get them implemented on a greater scale.”