How to survive in the cyber jungle

Like insurance salesmen warning of the next tsunami or plague, the security product vendors delight in telling us about the growing threats to our systems. But that doesn't make the dangers any less real.

Spam has reached an all-time high, phishing attacks are getting ever more cunning and hackers are constantly finding new ways to penetrate our defences and plant malignant code.

Let's take a look at some of the latest warnings.

Keyloggers

According to Kaspersky Lab, the keylogger has become the weapon of choice for hackers both against business and individuals. It has seen a sixfold increase in the number of keyloggers between January 2003 and July 2006, and warns they are very difficult to combat.

Keyloggers can be a small hardware device plugged into a keyboard for instance, or a bit of rogue software that sits deep in the system where it can record every keystroke and report it back to a remote user.

Keyloggers enable the criminal to get a profile of a user's web browsing habits, to pick up password information, and even credit card numbers. And most users would be unaware of anything untoward happening.

In a new paper Kaspersky gives a detailed description of how keyloggers are planted and how damaging they can be in silently draining the inner secrets from a user or organisation.

Once they have found their way on to a user's machine (usually by luring them to an infected website), the software is usually hard to detect. The only way to prevent fraud then is to use one-time passwords, or to display a soft keyboard on screen for the user to press when entering sensitive information.

Far better, though, to prevent the keylogger getting on the system in the first place. That comes back to raising user awareness, and applying tools that can either prevent any program running that is not on a whitelist, or that will spot unusual behaviour.

Man-in-the-middle attack

Several researchers have noticed a new trend in phishing attacks, which traditionally involve email messages asking unsuspecting users to disclose the details of their bank accounts or any other online accounts they may have.

Mikko Hypponen, chief technologist at Finnish security company F-Secure, says the phishers have started using man-in-the-middle attacks to trick not just bank customers but anyone who registers with an e-commerce website.

"Man-in-the-middle attacks are hard to stop. We saw the first of these attacks about 11 months ago, one targeting Paypal, the other targeting a big US bank. Last week we found five separate kits for man-in-the-middle attacks, targeting sites such as Amazon," he says.

Since then, RSA's researchers have also reported finding ready-made kits on the Internet that allow less able hackers to get in on the act and mount their own man-in-the-middle attacks.

Hypponen says the attacks show a high level of cunning to lure even the most cautious user. He gives the example of a recent attack purporting to come from Amazon.

It starts with an email asking you to clarify something about your account at Amazon. "You follow a link and end up on a page that looks just like Amazon," he says. "It asks you for your user name and password, which it sends off to the bad boys just as in traditional scams. But it also uses the user name and password to log into the real Amazon site. It goes to your Amazon profile page and it downloads all the information about you. It then creates a new page which then asks the user to 'confirm' their details.

"It shows your name, street address, the number of purchases you've done. It is very convincing. It asks you to confirm each item. It shows your credit card numbers (just the last four digits, with the other digits asterisked out). It asks you to confirm the last of these credit card numbers in full. So it is asking you to provide the full information in order to prove who you are."

It is a brilliant piece of reverse psychology where the user is persuaded that they need to prove their identity, rather than vice versa.

This is a tough threat for any e-commerce site, and could damage its brand and credibility if enough people get fooled. The only practical answer for any e-commerce site is constantly to remind customers not to respond to such emails.

Spam

This is an old problem that Bill Gates famously predicted would be solved by now. By contrast, spam now regularly sits at around 90 per cent of all mail traffic on the internet, and even crept up to 96 per cent last December.

Spam filters do quite well in weeding out the usual stuff, but the sheer volume of spam brings with it a general degradation of the mail system. Users or organisations crank up the filters, and inevitably start to block legitimate traffic in the process. How many of us have not found important email in a spam folder, or discovered that an urgent email we sent has failed to arrive in our intended recipient's mailbox?

Meanwhile spammers learn new ways of evading the spam filters, such as putting the message into an image, a favourite ploy for pump-and-dump investment scams.

Danish email security company SoftScan says this causes problems because the spam messages are actually larger (the average size of a spam message has increased by 77 per cent since September last year, from 6.62KB to 11.76KB) and continues steadily to grow. This adds to the cost managing email, wastes bandwidth and consumes storage.

Postini, another email management company, says that during 2006, image-based spam grew from 2 per cent to up to 30 per cent of all spam messages. The increased volume and the greater size led to a 334 per cent increase in the processing and bandwidth requirements for email.

The rise in spam is driven by the rise in botnets, operated by international criminal gangs. Postini says that more than 1m IP addresses every day are now co-ordinating spam and virus attacks from around the world.

With botnets becoming so large, it means they can pump out vast amounts of spam in a short period, and because they are constantly refreshing themselves with new infected PCs, they are very hard for the antispam companies to track and block. This really is a cat-and-mouse game on a huge scale.

More importantly, the spam is not just designed to sell you Viagra or pass on share tips. Apart from the phishing scams described above, the spam is likely to come with a payload of some kind, such as a worm or trojan. For instance, according to Postini, the December 2006 'Happy New Year!' worm generated 20 times the average daily virus volume.

Once the malware is loaded on the victim's computer, then it can be used to gather information, generate more spam, and capture more machines to join the botnet.

As for curing the spam problem, forget it. The economics of sending out spam, and the slim chances of getting caught or prosecuted, mean that the spammers will continue to operate. Putting email management out to a service company sounds like a smart move for all but the smallest companies.

Web application threats

Web applications should be the most secure parts of the system, as they deal with a largely untrusted population of users, unlike in-house applications which deal with a finite population of named employees. And yet many websites are still vulnerable to techniques such as SQL injection and cross-site scripting.

In both these cases, the problem comes from the web application not validating input properly. For example, just by entering a few special characters in a web form, the user can trigger a database error message that would reveal details of the background system.

And yet going back to basic programming principles, where all input is validated before being allowed into the system, would solve most of the problems. "We shouldn't blame the developers for this," says Michael Sutton, who carries the title of Security Evangelist at SPI Dynamics. "They are told to build applications with lots of functionality and to build it fast. Security takes a back seat."

Insider threats

Most studies agree that most (around 80 per cent) threats come from insiders - people with authorisation to use the systems and with valid passwords. They can be malicious employees with a grudge to settle, or merely incompetents who make mistakes and download dodgy mail attachments.

Security awareness training can go a long way in helping incompetents avoid mistakes, but technology has to play a role in stopping the malcontents. Role-based access management, and automated provisioning and de-provisioning of users will help limit the amount of damage they can do.

In practice, many companies still struggle to manage roles tightly enough and provisioning is a laborious affair. Many staff retain access rights to systems long after they have left the organisation.

Companies also struggle to keep track of their network infrastructure. According to Jeremy Nazarian, head of marketing at risk management company Lumeta, "around 20 per cent of the devices and hosts on a network will be unmanaged", and therefore may have security holes that can be exploited. He says that with constant re-organisations, mergers and company sell-offs, and extended supply chains, security teams often fail to keep track of all the devices with a legitimate connection. Branch offices may decide to set up a DSL connection without permission, for instance; or a supplier that gets fired may still have a network connection.

These all leave the way open for abuse, and yet can be prevented with the right network management and discovery tools.

And the rest....

There are plenty of other new threats to worry about - wireless networks, mobile phone viruses and even iPod viruses, according to Kaspersky, which claims to have discovered the first example. Then we have the potential for chaos as the telephone system switches to VoIP.

But they can probably wait for a few months, maybe years in some cases. Far better to focus time and money by applying the basic rules of security. Start with a proper risk assessment to see what assets are the most valuable and therefore need testing.

Do regular staff awareness training - if users behave, most of the threats outlined above can be avoided.

Patch vulnerabilities properly, and validate input in web applications. And where possible, use a specialised service supplier to carry out tasks. That way, you should be safe.

As Nick Ross always says on Crimewatch, don't have nightmares.

Email to a friend

Print this page