Security breaches look set to get worse as
hacker groups target smartphones and social media and release more information
online.
Personal information leaked online is
becoming an all too common occurrence. For example, Sony suffered a massive
breach of its PlayStation Network earlier this year that led to the theft of
names, addresses arid possibly credit-card data belonging to 77 million users.
If you think the situation is bad now, just
wait. Things will get worse as more information is dumped online by mi5chievous
hacker groups such as Anonymous, and cybercriminals begin to target smartphones
and social media.
In August, AntiSec (a collaboration between
Anorimous and the disbanded LulzSec group) released more than 10GB of
information from 70 US law-enforcement agencies. According to Todd Feinman, CEO
of DLP vendor Identity Finder, AntiSec wasn’t motivated by money.
“AntiSec doesn’t like flow various law-
enforcement agencies operate and it’s trying to embarrass and discredit them,”
he said.
But, he added, what it doesn’t realise is
that when it publishes sensitive personal information, it’s helping low-skilled
cybercriminals commit identity theft. Every week, another government department
or business has its records breached – some 250,000 to 500,000 each year,
estimated Feinman. Few details tram those breaches are published online for all
to see, however.
While certain high-profile attacks, such as
the one on Sony, are intended to embarrass and spark change, the US
law-enforcement breach could represent a shift in hacker thinking. AntiSec’s
motivations appear to have a key difference, with the attackers consciously
considering collateral damage as a strategic weapon.
According to Feinrnan, AntiSec wrote
online: “We don’t care about collateral damage. It will happen, and so be it.”
Social networking
Experts say the future of malware is more
about how potential victims will be targeted than how it will be engineered.
Collateral damage won’t be limited to innocents compromised through no fault of
their own.
Have you ever accepted a friend request on
Facebook or connected to someone on Linked In you don’t know? Perhaps you
thought it was someone from school you’d forgotten about, or a former colleague
whose name had slipped your mind. Not wanting to seem rude, you accepted them
as a friend and quickly forgot about it.
When people make trust decisions with
social networks, they don’t always understand the ramifications. Today, you are
far more knowable by someone who doesn’t know you than ever” said Dr Hugh
Thompson, program chair of RSA Conferences.
We all know people who discuss everything
they do on a social network or blog, from eating their breakfast to clipping
their toenails. While most of us consider these people a nuisance and may hide
their status updates, cybercriminals love them.
Password-reset questions are easy to guess,
and tools such as Ancestry.com, while not created for this purpose, provide
hackers with useful information,’ said Thompson.
There are a few areas he believes the IT
security industry needs to concentrate on: security for social media, ways to
manage the information shared about you, and better methods for measuring
evolving risks.
Enterprise targets
Fake security software is the most common
type of social-engineering attack that researchers at Blue Coat Systems come
across. Chris Larsen, head of the lab, explained that social networks aren’t
being used only to target individuals.
Larsen outlined a recent attack attempt
where hackers targeted executises of a major corporation through their spouses.
The chances were at least one of the businessmen would have a poorly secured
home PC that he shared with his non-tech- savvy wife. This would provide the
backdoor needed to gain access to the company.
“Whaling is definitely on the rise,” said
Paul Wood, senior intelligence analyst for Symantec.cloud. ‘Just a couple years
ago, we saw one or two of these sorts of attacks per day. Today, we catch as
many as 80.”
According to Wood, social engineering s by
tar the most potent weapon in the cybercriminal’s toolbox (automated, widely
available malware and hacking toolkits are number two). Combine that with the
fact that many senior executives circumvent IT security because they want the
latest and trendiest devices, and cybercriminals have many valuables
easy-to-hit targets in their sights.
“Attacks on small businesses are
increasingly dramatic because they are usually the weakest link in a larger
supply chain,” said Wood.
There’s no sure way to defend against this.
Until companies start scrutinising the cyber-security of their partners and
suppliers, they can’t say with any certainty whether or not they themselves are
secure, While it’s common for large firms to keep a close eye on their
suppliers, with factory visits that result in the implementation of an array of
‘best practices’, companies aren’t doing this when it comes to cyber-security.
Smartphone threats
Smartphone threats are on the rise, but we’ve
yet to see a major incident. This is partly due to platform fragmentation.
Malware creators still get better results by targeting PCs or websites.
Larsen believes that platform agnostic, web
-based worms represent the new frontier of malware. Platform-agnostic malware
lets legitimate developers do some of the heavy lifting for malware writers. As
developers re-engineer sites and apps to work on a variety of devices, hackers
can then target the HTML, XML, Jpegs and so on that render on any device,
anywhere.
Mobile phones are serving as a second
identity factor for all sorts of corporate authentication schemes. Businesses
that used to rely on hard tokens, such as RSA SecureID, are moving to soft
tokens, which can reside on mobile phones roaming beyond the corporation as
easily as on PCs ensconced within corporate walls.
“Two-factor authentication originally emerged
because people couldn’t trust computers. Using mobile phones as an identity
factor defeats two-factor authentication,” said Marc Maiffret, CTO of eEye
Digital Security.
Today, Android is the big smartphone
target, but don’t be surprised if attackers soon turn their attention to the
iPhone - especially if third-party antivirus programs become more or less
standard on Android devices. Phone demographics are appealing to attackers, and
security experts will tell you that Apple products are notoriously insecure.
Apple is reluctant to provide third-party
security entities with the kind of platform access they need to improve the
security of iPhones, iPads, Macnook Airs and so on. “Apple is very much on its
own with security,” said Maiffret. ‘it almost mirrors late-90s Microsoft, and
it’ll probably take a major incident or two to incite Change.’
If we’ve learned anything about security in
the past 20 years, it’s that another major incident is always looming just over
the horizon. With the number of IP-connected devices climbing to anywhere from
50 billion to a trillion in the next five to 10 years, tomorrow’s hackers could
target anything from home alarms and air traffic-control systems to flood
control in dams.
