Security 2008: The rise of malware

gallery

It was a watershed year as many of the threats of 2007 evolved this year into significant threats which will last until 2009 and beyond.

Malware, online fraud, data breaches and social engineering were only some of the techniques that the profit-driven criminal used, as the arms race between the bad guys and the security industry kept moving forward.

The biggest event to hit security this year was arguably Dan Kaminsky’s discovery of a flaw at the very heart of the internet – the Domain Name System (DNS), which translates web addresses into IP addresses.

The problem had the potential to poison DNS records so that users could be redirected to malicious websites, even if they typed correct address of a legitimate website. This had severe repercussions for users, as anything from an online transaction to an email could be vulnerable.

A multi-vendor patch was created to lay a bandage on the gaping wound, but this won’t be the last we hear, and expect to see a lot more coverage of this problem in 2009.

Web-based malware was also a big theme this year, as it became more common for malware writers to plant code on legitimate websites which could lead to drive-by malware downloads.

The SQL injection was a common way for this to be done, and there were several high-profile incidents of this happening, including an incident with the Asprox Trojan where an NHS website was infected.

Online fraud and identity theft was a huge problem before 2008, and it has only gotten worse. Normally you would associate online crime with shadowy underworld Russian gangs, but as IT PRO discovered, it’s become easier for anybody to join in the “fun”.

The UK made some belated steps to really focus on the problems and difficulties in enforcement. This year, the Home Office confirmed that it was willing to fund an e-crime unit which would centre police and possibly vendor efforts in fighting against cybercrime.

Data breaches became regular – another data breach, more lax security. There were several very serious and high-profile cases this year, with many involving government departments and the public sector.

This list is large - at the last count the Information Commissioner’s office reported 277. However, awareness of the problem is much more than it perhaps was a year ago, and steps have been taken to make sure that your data is not lost in stupid ways, without someone at least being held accountable.

And finally, 2008 was the year of the credit crunch, and as usual the cybercriminals were there to take advantage of any weakness. In the face of the crisis, criminals have changed their phishing tactics to target the vulnerable. Social engineering in 2008 stretched from email and more into social networks like Facebook, which people are often a little less careful about.

Email to a friend

Print this page