http://www.echannelline.com/canada/story.cfm?item=DLY040808-1
8-April-2008
by Vanessa Ho
Volume XIII of Symantec’s Global Internet Security Threat Report (ISTR) reports that the Web has quickly become the attack vector of choice.
Symantec’s Global ISTR provides a six-month update of Internet threat activity and includes analysis of network-based attacks, a review of known vulnerabilities and highlights malicious code activity. It also discusses numerous issues related to online fraud, including phishing and spam.
According to Michael Murphy, vice president and general manager of Symantec Canada, the biggest change in this volume of the report has been attacks to the Web moving from something to watch out for to something that is now is in the realm of reality.
“One of the seismic changes in this threat report is the first real evidence that threats are targeting Web applications almost exclusively while attacks to computers and operating systems has slowly fallen off the screen,” said Murphy.
He added that attacks of today are focused on web applications, Web content and Web sites because that’s where people are hanging out and that’s where data is being collected.
“The ubiquitous nature of the Web and Web applications is why attackers are using it as an attack vector and the expansion of social networking sites are more than ever a conduit attackers are trying to exploit,” Murphy noted.
The report indicated that social networking Web sites have been easy targets for criminals to spoof and because these sites are trusted by users, phishing attacks mimicking them may have a better chance of success.
Murphy indicated that the top four phishing sites that the report observed were social networking sites like MySpace and Facebook.
“The end user is always going to be the weakest link and the attackers are leveraging that because they want to dupe the individual to capture data. If you cull enough data from somebody you can create an identity [that can] be worth a lot of money. The commercialization is what drives the attackers,” he added.
In terms of this underground economy, volume XIII of the ISTR noted that bank accounts were the number one goods and services being sold followed by credit cards and full identities. While Murphy said the pricing of these haven’t changed since the last report, the bulk purchases of bank accounts and the like has.
Another new finding is that attackers are moving away from mainstream developed countries to regions or countries like Peru where security practices, legislation and infrastructure are not well developed.
Other attack trends include Symantec observing an average of 61,840 active bot network computers per day, a 17 per cent increase from the first half of 2007. Canada saw an average of 7,344 active bot infected computers per day. Toronto, Montreal and Calgary were the top bot cities.
Volume XIII also broke out attack trends in terms of malicious activity via ISPs.
Murphy stressed that this doesn’t mean that it’s the ISPs propagating the attacks but their subscribers with IP addresses assigned by them that are the attackers.
But he added that these statistics prove that ISPs can do a better job in educating their customers in the area of security.
“It not about just about offering technology but helping customers understand the challenges facing them and how they can protect themselves beyond anti-virus to include anti-phishing, personal firewall and data loss prevention,” said Murphy.
In terms of vulnerabilities, the Mozilla family of browsers had the highest number of vulnerabilities during this reporting period at 88, a 60 per cent increase over the last report. The window of exposure for these vulnerabilities was three days. While Microsoft showed fewer reported vulnerabilities, its window of exposure was the longest at 11 days.
As well, Symantec documented 239 browser plug-in vulnerabilities in the last six months of 2007 compared to the first six months where browser plug-in vulnerabilities were 237. During the last half of 2007, 79 per cent of those vulnerabilities affected ActiveX components, down from 89 per cent in the first half.
“As much as browsers have become secure, plug-ins have not and patches have not been readily available,” said Murphy.
New in this report is the observation of malicious code trends that noted in the last six months of 2007, seven per cent of the top 50 malicious code samples modified web pages, up three percent from the first half of 2007. In the second half of 2006, none of the top 50 malicious codes samples attempted to modify web pages on compromised computers.
“This is almost a reverse to old school stuff,” said James Quin, senior research analyst with Info-Tech Research Group. “Web site defacement was one of the first types of cyber attacks done just for notoriety and now the same threat is being turned around for monetary gain.”
In the second half of 2007, 40 per cent of malicious code that propagated did so as shared executable files, a significant increase from 14 per cent during the first half of the year.
“Most file sharing is peer-to-peer and SMTP [and are targets] because this is where individuals are most socially engineered,” said Murphy.
While spam has grown 71 per cent from 65 per cent in the previous volume of the report, Murphy noted that spam is becoming less about selling product but more as a conduit for social engineering phishing attacks.
“As long as spam is still lucrative and fast growing, it will still be used,” he added
As for what to watch for in the future, Murphy said there is an increasing trend in the industry to adopt whitelisting.
He explained that whitelisting is list of all applications or things that are good that can get onto a person’s network or computer. Traditionally, blacklisting was used. Blacklisting is a list of all things that are bad that needs to be prevented from entering a network or system.
But now with over a million distinct threats that are out there today, Murphy said it would take a lot of time and effort to maintain a blacklist that long and be portable enough so that a device with enough computing power can hold the list to detect malicious threats.
He added the problem with a whitelist is determining what makes the list but Murphy still believes that whitelisting is the way to go considering how threats are growing.
“Symantec is working on how to best to integrate whitelisting but not at the expense of blacklisting as they have to co-exist together.”
Another trend to watch is the rapid and widespread growth in external storage devices like USB sticks, cellular phones, audio players and cameras that can pose a risk to enterprise data loss.
by Thomas Claburn