The future of malware : Social networking, Enterprise targets & Smartphone threats

4/6/2012 2:46:16 PM

Security breaches look set to get worse as hacker groups target smartphones and social media and release more information online.

Description: The future of malware

Personal information leaked online is becoming an all too common occurrence. For example, Sony suffered a massive breach of its PlayStation Network earlier this year that led to the theft of names, addresses arid possibly credit-card data belonging to 77 million users.

If you think the situation is bad now, just wait. Things will get worse as more information is dumped online by mi5chievous hacker groups such as Anonymous, and cybercriminals begin to target smartphones and social media.

In August, AntiSec (a collaboration between Anorimous and the disbanded LulzSec group) released more than 10GB of information from 70 US law-enforcement agencies. According to Todd Feinman, CEO of DLP vendor Identity Finder, AntiSec wasn’t motivated by money.

“AntiSec doesn’t like flow various law- enforcement agencies operate and it’s trying to embarrass and discredit them,” he said.

But, he added, what it doesn’t realise is that when it publishes sensitive personal information, it’s helping low-skilled cybercriminals commit identity theft. Every week, another government department or business has its records breached – some 250,000 to 500,000 each year, estimated Feinman. Few details tram those breaches are published online for all to see, however.

While certain high-profile attacks, such as the one on Sony, are intended to embarrass and spark change, the US law-enforcement breach could represent a shift in hacker thinking. AntiSec’s motivations appear to have a key difference, with the attackers consciously considering collateral damage as a strategic weapon.

According to Feinrnan, AntiSec wrote online: “We don’t care about collateral damage. It will happen, and so be it.”

Social networking


Description: Social networking

Experts say the future of malware is more about how potential victims will be targeted than how it will be engineered. Collateral damage won’t be limited to innocents compromised through no fault of their own.

Have you ever accepted a friend request on Facebook or connected to someone on Linked In you don’t know? Perhaps you thought it was someone from school you’d forgotten about, or a former colleague whose name had slipped your mind. Not wanting to seem rude, you accepted them as a friend and quickly forgot about it.

When people make trust decisions with social networks, they don’t always understand the ramifications. Today, you are far more knowable by someone who doesn’t know you than ever” said Dr Hugh Thompson, program chair of RSA Conferences.

We all know people who discuss everything they do on a social network or blog, from eating their breakfast to clipping their toenails. While most of us consider these people a nuisance and may hide their status updates, cybercriminals love them.

Password-reset questions are easy to guess, and tools such as, while not created for this purpose, provide hackers with useful information,’ said Thompson.

There are a few areas he believes the IT security industry needs to concentrate on: security for social media, ways to manage the information shared about you, and better methods for measuring evolving risks.

Enterprise targets

Fake security software is the most common type of social-engineering attack that researchers at Blue Coat Systems come across. Chris Larsen, head of the lab, explained that social networks aren’t being used only to target individuals.

Larsen outlined a recent attack attempt where hackers targeted executises of a major corporation through their spouses. The chances were at least one of the businessmen would have a poorly secured home PC that he shared with his non-tech- savvy wife. This would provide the backdoor needed to gain access to the company.

“Whaling is definitely on the rise,” said Paul Wood, senior intelligence analyst for ‘Just a couple years ago, we saw one or two of these sorts of attacks per day. Today, we catch as many as 80.”

According to Wood, social engineering s by tar the most potent weapon in the cybercriminal’s toolbox (automated, widely available malware and hacking toolkits are number two). Combine that with the fact that many senior executives circumvent IT security because they want the latest and trendiest devices, and cybercriminals have many valuables easy-to-hit targets in their sights.

“Attacks on small businesses are increasingly dramatic because they are usually the weakest link in a larger supply chain,” said Wood.

There’s no sure way to defend against this. Until companies start scrutinising the cyber-security of their partners and suppliers, they can’t say with any certainty whether or not they themselves are secure, While it’s common for large firms to keep a close eye on their suppliers, with factory visits that result in the implementation of an array of ‘best practices’, companies aren’t doing this when it comes to cyber-security.

Smartphone threats

Description: Smartphone threats

Smartphone threats are on the rise, but we’ve yet to see a major incident. This is partly due to platform fragmentation. Malware creators still get better results by targeting PCs or websites.

Larsen believes that platform agnostic, web -based worms represent the new frontier of malware. Platform-agnostic malware lets legitimate developers do some of the heavy lifting for malware writers. As developers re-engineer sites and apps to work on a variety of devices, hackers can then target the HTML, XML, Jpegs and so on that render on any device, anywhere.

Mobile phones are serving as a second identity factor for all sorts of corporate authentication schemes. Businesses that used to rely on hard tokens, such as RSA SecureID, are moving to soft tokens, which can reside on mobile phones roaming beyond the corporation as easily as on PCs ensconced within corporate walls.

“Two-factor authentication originally emerged because people couldn’t trust computers. Using mobile phones as an identity factor defeats two-factor authentication,” said Marc Maiffret, CTO of eEye Digital Security.

Today, Android is the big smartphone target, but don’t be surprised if attackers soon turn their attention to the iPhone - especially if third-party antivirus programs become more or less standard on Android devices. Phone demographics are appealing to attackers, and security experts will tell you that Apple products are notoriously insecure.

Apple is reluctant to provide third-party security entities with the kind of platform access they need to improve the security of iPhones, iPads, Macnook Airs and so on. “Apple is very much on its own with security,” said Maiffret. ‘it almost mirrors late-90s Microsoft, and it’ll probably take a major incident or two to incite Change.’

If we’ve learned anything about security in the past 20 years, it’s that another major incident is always looming just over the horizon. With the number of IP-connected devices climbing to anywhere from 50 billion to a trillion in the next five to 10 years, tomorrow’s hackers could target anything from home alarms and air traffic-control systems to flood control in dams.

  •  Useful apps for iPad (Part 2) : Evernote, Wave Accounting & Dataviz Docs To Go
  •  Useful apps for iPad (Part 1) : Bento for iPad & Numbers 1.5 for iPad
  •  Android Market Under Threat From ‘RuFraud’
  •  Memory update to boost mobile devices : Manufacturer backing
  •  Intel Enters Smartphone Market
  •  Take control of your files (Part 2) - View your files on PC
  •  Take control of your files (Part 1) - Stop and drop, Share and share alike
  •  HP: A new Slate in PC market
  •  Cheaper tablets to take on the iPad 2
  •  Showdown: lOS vs Android vs WP7 (Part 2)
  •  Showdown: lOS vs Android vs WP7 (Part 1)
  •  Richard Cobbett: Publish and be damned
  •  Tech patent wars: a lose-lose situation
  •  Motorola Xoom 2 Media Edition
  •  Nokia Lumia 710
  •  The New iPad
  •  The New iPad: answer your questions
  •  The State Of Smartphones
  •  Got an iPad? Get a styIus (Part 3)
  •  Got an iPad? Get a styIus (Part 2)
    Top 10
    Nikon 1 J2 With Stylish Design And Dependable Image And Video Quality
    Canon Powershot D20 - Super-Durable Waterproof Camera
    Fujifilm Finepix F800EXR – Another Excellent EXR
    Sony NEX-6 – The Best Compact Camera
    Teufel Cubycon 2 – An Excellent All-In-One For Films
    Dell S2740L - A Beautifully Crafted 27-inch IPS Monitor
    Philips 55PFL6007T With Fantastic Picture Quality
    Philips Gioco 278G4 – An Excellent 27-inch Screen
    Sony VPL-HW50ES – Sony’s Best Home Cinema Projector
    Windows Vista : Installing and Running Applications - Launching Applications
    Most View
    Most Favorite Travel Apps For Your Smartphone – November 2012
    HP Envy 4 - Ultra Envious
    Graham Morrison: The advocate
    SQL Server 2008: Managing Resources with the Resource Governor (part 2) - Workload Groups
    Zyxel NSA310 : Ideal for streaming
    iPad Therapy (Part 1) - Speech therapy
    Windows XP : Participating in Internet Newsgroups - Setting News Options
    Building Android Apps: Web SQL Database (part 1) - Creating a Database
    ASUS Xonar Phoebus – For Serious Audio Enthusiasts
    Web Security : Seeking Design Flaws - Bypassing Required Navigation, Attempting Privileged Operations
    SanDisk Released MicroSDHC Card With Reading Speed Of 95MB/s
    Windows 8 vs. OS X Mountain Lion (Part 3)
    OS X Mountain Lion - Bringing iOS features “back to the Mac” (Part 4)
    Swann OutbackCam Security Camera
    SQL Server 2005 : Basic OLAP - Building Your First Cube (part 2) - Adding a Data Source View
    Internet Security and Acceleration Server 2004 : Additional Configuration Tasks
    Fixie - Lightweight, Sturdy And Wonderful
    Resolve a Hostname to an IP Address
    Pentax 645D vs Sigma SD1 Merrill (Part 1)