Cybercriminals will keep pursuing consumers, businesses and government agencies, but other Internet security violators in 2012 will range from teen “hacktivists” to “Big Data companies,” foreign governments, and corporate employees, said security experts on hand at the RSA Conference in San Francisco.
With regard to specific security exploits, participants cited the use of new channels such as DNS for Web site command and control, new “blended attacks” involving mobile malware, and advanced persistent threats (APTs) against new targets such as clouds and pharmaceutical firms. As we see it, here are five general trends that emerged from RSA as top security threats for 2012:
1. Idealistic young ‘hactivists’ will continue to attack.
“It’s certainly been a very interesting and active year in our field with the rise of hacktivism, the increasngly sophisticated targeted attacks, [and] breaches of major organizations,” said Ari Juels, chief scientist and director of EMC’s RSA Laboratories, during a conference session.
Of the data breach cases investigated by Verizon Business during 2012, 29% involved exploitation of default or guessable passwords. Password exploits were followed by backdoor malware at 26%; use of stolen log-in credentials (24%); exploitation of backdoor or command and control channels (23%); keyloggers and spyware (18%); and SQL injection attacks (13%), according to select findings from Verizon Business’ 2012 Data Breach Investigations Report (DBIR) released at the RSA conference.
Over the past year, hactivists have been conducting large-scale exploits to infiltrate law enforcement agencies and major companies and steal sensitive data “for the purposes of embarassing or damaging” these organizations, according to Ed Skoudis, founder and chief security consultant at InGuardians and a speaker at the show.
“The big difference is [that] the attacker doesn’t try to hide,” noted Johannes Ulrich, chief research officer with SANS and a co-presenter with Skoudis at the conference. “They try to open it up and show the world what they have accomplished.”
Hacktivists “claim to be political idealists who want to change things,” contended Misha Glenny, an investigative journalist specializing in cybercrime, during a panel session about hacktivism at the show.
Yet it can be tough for authorities to tell the difference between “genuine idealism” and attacks generated for intellectual property gain or by other kinds of criminal intent.
Many hacktivists are in their teens or twenties. Although “there are some very positive examples” of what hacktivism can do, hactivists can also be “duped by a criminal organization,” according to Glenny.
During the same session, Eric Strom, a cyber-investigator for the FBI, cited “a smaller criminal element that could be associated” with hacktivist attacks.
2. ‘Big Data’ companies are taking control of users while profiting from user information.
In another session at RSA, cryptography expert Bruce Schneier named “Big Data” companies — or companies that “collect, aggregate, and use” large amounts of data about users — as one of the three greatest security dangers.
Schneier suggested that Big Data results in a “feudal security” system where users entrust personal information to organizations such as Google, Apple and Facebook, which then in turn use the collected data to profit from sales of ads or products.
“I mean Big Data as an industry force. like we might talk of Big Tobacco or Big Oil or Big Pharma,” according to Schneier. The emergence of Big Data can’t be helped, he said, because data is so inexpensive. “It’s easier and cheaper to search than [to] sort.”
The lack of control that users now hold over their cloud-based data extends to newer devices such as smartphones. “I can’t do things as a security professional on my iPhone. Apple doesn’t give me the same access that I have on my personal computer,” he said.
Also among the three major dangers are “ill-conceived regulations from law enforcement” and the “cyberwar arms race” among national governments, according to Schneier.
3. Foreign governments will start to target clouds and more types of businesses with APTs.
Another conference speaker, Uri Rivner, head of New Technologies, Consumer Identity Protection, in EMC’s RSA Security Division, described APTs as “military-grade attacks against commercial companies.”
During a pre-show podcast, Rivner predicted that, in 2012, APTs might be launched against cloud-based services and more types of companies — in industries such as pharmaceuticals, energy and mining — as new sources for IP theft.
Meanwhile, attackers are starting to exploit command-and-control systems that use DNS code, Skoudis said during a conference session. Hackers can now produce produce malware that is able to maintain a connection with a machine on a network for as long as the machine can resolve DNS names. To detect such attacks, Skoudis suggested keeping an eye out for unusual DNS traffic.
The RSA show also saw announcements of new products and technologies designed to curb attacks by toughening up authentication for logging into Web sites, for example.
TextPower introduced a new two-factor authentication system that works outside of Web browsers in efforts to avoid keystroke logging, “Man in the Middle,” and “Man in the Browser” attacks.
How does it work? After a user has entered a user ID and password on a Web page, the system displays a one-time authentication code in clear view on the Web page of a PC. The user then texts the authentication code from a cell phone. Even if attackers know the cell phone number, they’ll be unable to spoof the phone, since wireless carriers identify phones by unique identifiers specific to each phone, said Scott Goldman, CEO of TextPower, in an interview with NotebookReview.
4. Attackers will make more use of mobile exploits for hacking into corporate networks.
When it comes to mobile security, lots of people still want to know when we’re going to see giant botnets made up of mobile phones, according to Skoudis. At the moment, though, attackers are beginning to launch so-called “blended attacks” involving the exploitation of employees’ phones.
“Bad guys are going to the Android Marketplace, pulling down an app, building a backdoor into it and selling it in another Android app store for a lower price,” he said.
“Or they’ll take the backdoor, grab an icon from an application someone wants to buy, and sell it in another app store for a lower price.”
While it’s typically harder to sneak an app into Apple’s App store, it can be done. A couple of years ago, for instance, a developer managed to get a “flashlight” app into the App Store even though it contained a tethering feature which violated the policies of wireless carriers.
According to Skoudis, attacks against enterprises through mobile devices won’t be difficult to do, because many corporate executives demand BYOD (bring your own device) network access and many enteprises don’t restrict the use of mobile devices.
As reported in our sister publication, Brighthand, other research released at the RSA Conference shows that BYOD smartphones, laptops and tablets are getting inadequate security protection in terms of encryption and enablement of autolock and password security.
5. Company employees, consultants, and business partners can always pose security risks.
Also at the RSA Conference, Dawn Cappelli, technical manager from Carnegie Mellon’s CERT Insider Threat Center, delivered a session on “insider” exploits by company employees, consultants, and business partners. Almost 50 percent of all companies have been hit by insider attacks, according to recent studies by CERT. Although incursions by outsiders are even much more common, insiders can cause considerable financial damage.
Perpetrators range from terminated employees who sabotage systems out of revenge to lower-level staff bribed by criminal interests to steal or modify company information.
In one incident investigated by CERT, for example, a car salesman offered to pay an empoyee of a credit reporting agency $150 per record to change the credit reports of people who wanted to buy cars but had bad credit. The insider then recruited four co-workers to take part in the scheme. The credit agency didn’t discover the fraud for more than a year.
Companies can even lose corporate information at the hands of unqualified data recovery contractors, hired to recover information when a laptop hard drive fails or a smartphone gets damaged in a drop or fall, maintained Michael Hall, CISO for major data recovery company DriveSavers, in another interview with NotebookReview. Too often, businesses choose a data recovery service on the basis of price or a promise of speedy data recovery rather than adherence to sound security practices, according to Hall.
Hall pointed to the results of a new survey by the Ponemon Institute showing that 87 percent of companies acknowledge experiencing a data breach over the past two years — and that, of these, 21% say that the breach occurred while a drive was in the hands of a third-party data recovery firm.
Although some of this data loss is unintentional on part of data recovery companies, some could be intentional, the survey results indicate. In one case, while away on a business trip, the CEO of a large defense contractor accidentally spilled a diet soda on a notebook PC containing very sensitive information about a forthcoming merger. The CEO then hired a data recovery service in the local area to restore the hard drive.
Two weeks later, information about the merger leaked out during a cable business program. The CEO was told that the merger was now “on hold” and would probably be canceled. An ensuing investigation showed that the data recovery service was a home business and didn’t have proper procedures in place to ensure protection of confidential information.