|
Security Expert: What The Internet Has in Store for You In 2005
Informatica Security President Claudiu Popa presents his yearly views on information security trends and the outlook for 2005. His opinions are entirely his own and those of everyone he manages to convince.
(PRWEB) December 10, 2004 -- Every year around the winter holidays, I offer – okay, force – my immense wisdom and wit upon an unsuspecting audience. This year is no exception and as usual, I have some good and bad news related to happenings that will impact your Internet experience and perhaps even your wallet. You say you want the bad news first? Okay. In 2005 youll hear a lot more about computer fraud, theft and financial losses than ever before. Why? Because there will be more of that taking place than ever before. Is there a chance that someone you know will be a victim? You bet. Its not all bad however, but youll have to read through to the end to get the good news. For now, more pressing issues, starting with everyones friend: email.
Boy oh boy! Those of you who hate spam are in for a rough ride. According to MessageLabs, spam now accounts for 73% of all email, but thats the least of our problems because a new form of identity theft is on the rise. Phishing, based on the not-so-new practice of lying and stealing is coming to an inbox near you. Over the past year, most Internet users have received a message seeking to extract personal financial information from them under urgent threat of closing bank accounts and falling skies. Up to 5% of recipients have actually clicked through these emails and submitted their personal information to a site that looked legitimate. In fact, the look and feel of the sites is identical to those of four dozen big name brands from Ebay to Citibank. There's something there for everyone.
In fact, that's an understatement. Between phishing, fake e-commerce sites and stolen identities, online scam artists are expected to net $US2.6 billion this year (according to Cybersource). Not bad for just going after the low-hanging fruit. To be fair, with holiday e-commerce sales volumes 50% higher than last year, criminals are very busy sending out emails, cloning fake sites and actually using stolen identities. In the words of President Bush, "it's hard work", but the opportunity is there.
Statistics tell us that nearly all stolen credit card numbers and bank accounts are used within 2 weeks, and with $US1.2 billion in phishing losses over the past year, we can expect these gangs to redefine the meaning of 'organized' crime just to keep up with their own success.
Speaking of which, the Anti-Phishing Working Group reports that organized crime is embracing this technology to the tune of 1140 fake storefronts and 6600 different phishing messages. This may seem like a lot, and it is considering the vast amounts of cash these businesses are producing, but it isn't much compared to what we will see in the coming year. With phishing growth rates as much as two to four hundred percent per month, it is clear that phishers are making full use of sophisticated technologies that probably make Nigerian Scammers green with envy. Not only that, but some of the lazier criminals simply set up hundreds of fake storefronts optimized with catchy search engine keywords and wait for Google to deliver the shoppers. Easy money. Software is the key to the growth of identity theft and that's what gangs are using to automatically create different flavours of fraudulent emails, different e-commerce store interfaces with identical back-ends and multiple varieties of information stealing viruses.
By mixing phishing emails with infected spam messages, thieves are packing a strong punch with every email transmission and traditional spam protection isn't going to cut it. 2005 may well turn into the year of Internet crime convergence. Unaware users are starting to have the option of clicking through the link to the fake site and submit their information or have their computer infected with a malicious ActiveX control. Or they may opt for the compressed attachment with the funky name. Or some code will run automatically when they open the message - particularly effective on users who insist on using the email preview pane feature..
Of course, email protection and some behaviour change in the lucky top tier of Internet users will protect them against such malfeasance and they can carry out their daily work confident that they know better. Many of them will be right, but only if they use even more software to protect themselves. Unfortunately, as efforts against malicious emails escalate, personal and business communications will suffer. Increased roadblocks to all types of email traffic will mean more lost and bounced emails. Be prepared to confirm receipt of your emails and keep a copy of everything, in case you need to re-send them. Adopting the use of personal certificates and email encryption for sensitive content will be critical, especially for business environments. Enablers of simple systems that bring this functionality to home users have a massive opportunity to unlock profits and add much needed value in this space.
Infection: It's No Longer a Matter of ‘If But ‘How Soon
I have written at length in the past about Survival Time and what it really means: essentially, according to one of the most trusted names in the business (SANS), a new computer running Windows XP has about 16 minutes before becoming infected once connected to the Internet. Thats without user intervention, email functionality and typical newbie mistakes. Assuming all you do is buy a new computer and hook it up to the Internet, beginning the hour-long (!) process of updating security patches, within 20 minutes, you'll be patching a system that has already been compromised.
But wait, there's more! A very recent study conducted by USA Today and AvantGarde examined the survival time of systems (also without user intervention). To make a long story short, the Mac and Linux systems were fine – as long as users didnt touch them anyway. The Windows XP machine using well … no protection … was compromised in the first 4 minutes of the two-week study. A machine with Windows Small Business Server took 8 hours to turn to the dark side. Once that happened, the infected PCs became a part of a bot-net, an army of zombie computers remotely controlled without their users' knowledge. Interestingly, two other XP machines remained clean. One had Windows latest upgrade: Service Pack 2 installed and the other just ran the popular ZoneAlarm firewall.
So as you're cracking open the box containing that spiffy new computer this holiday season, if it doesn't come with SP2 installed, you'd better have all of Microsoft's security patches on a ready-to-install CD because four minutes are barely going to be enough to type "www.windowsupdate.com" let alone download and install those fixes.
Keep in mind that those systems got infected without the help of any user. Not by email, just by open ports that allow Windows to communicate with the outside world. Its all very fascinating but so what? Well, once infected, the computer - much like the Borg of Star Trek - takes its place in the ranks of an army of tens of thousands of others, ready to take orders from an anonymous general.
What motivates these guys to keep doing what theyre doing? Two things: the addictive feeling of power that comes from controlling tens of thousands of other peoples computers and well... money. Yup, they get paid for directing their attacks at various targets of extortion such as gambling, casino and e-commerce sites. With a simple command they can open a floodgate and overwhelm a target system until it decides to transfer thousands of dollars into an account of their choice. The cost of non-compliance is simple: loss of sales and the risk of non-returning clients. But hey, this is the new millennium so look at the bright side! They get to keep their kneecaps. When not participating in a denial-of-service attack, zombie computers are simply used to route spam without the knowledge of their owners.
Focus on Fraud Moving from Consumers to Corporation:
So what can you expect from 2005 other than poor email service due to spam, viruses and phishing? You can expect these crimes to become more sophisticated. Tools developed to detect phishing attacks today will fail tomorrow because the market for the simple, elephant gun approach of today will be dry by next summer. Replacing them will be more credible, targeted attacks using stolen client and email distribution lists. More corporate identity theft will take place and phishing will move to the enterprise. And why not? We hear thats where the money is. Confuse any one of hundreds of employees and you may hit pay dirt with a bank account number. Get enough financial information to sound credible when opening a merchant account in the companys name and youll have yourself a legitimate e-commerce operation. Put as many stolen credit cards through that system, take the money and move on to the next company. Automate the process, pipeline it, Henry Ford would be proud!
To do our part in protecting against the growing threat of phishing in businesses, were offering a free, ready-to-use Anti-Phishing Security Policy (get it from www.InformationSecurityCanada.coms Security White Papers Library) Why not some fancy tool like the gazillions of anti-spam services now available? Because phishing is a social engineering attack. That means peoples trust is exploited. New, targeted phishing attacks will soon look just like regular, business-like emails – and most anti-spam tools wont take the chance that a false positive will deprive you of legitimate mail. Keep in mind that the bad guys are testing their email content before sending it, so their messages will probably have a better chance of penetrating spam defenses than this article does.
Okay, Give Us the Good News!
The good news is that the marketplace is evolving and more importantly, that it is maturing. Security threats are becoming topics of regular conversation. Things like spyware, online fraud and identity theft will be commonplace in the coming year. The good thing is that most people will be aware of them and will have just enough knowledge to do something about them. Cyber-terror and critical infrastructure protection will continue to be a growing source of concern, but more attention is being paid to securing those resources and the news year will see a lot of progress being made in that direction.
Phishing will turn into an art form, sometimes passing the common sense test, sometimes not. Extortionists will soon succumb to greed and a shrinking marketplace, attacking one another in an effort to ‘protect their clients and losing their anonymity in the process. Once that happens, they will be arrested and others will temporarily take their place. More public prosecutions will help to raise awareness and drive criminals deeper underground. They will conduct a few more attacks using a shrinking base of unpatched computers, but they will also take their racketeering to another level, merging the personal touch of a social engineering attack, with the profit potential of a good old telephone threat.
Internet service providers will soon play a large role in policing the Internet by cutting off access to computers that have evidently been compromised or those used for sending spam. They will also (be forced to) develop new ways to curtail emerging security threats to Internet telephony and VoIP. Unfortunately, many service providers will also succumb to the demands of organizations that seek to identify and prosecute users of peer-to-peer systems. This means that the privacy of our online activities will be negatively affected and we can look forward to another positive wave of end-user awareness, this time about anonymity. Existing software for anonymous surfing, encrypted email and instant messaging will explode in popularity as users fight to preserve their online privacy.
The lowly password will finally start to be phased out from important transactions and will make way for new, strong authentication mechanisms that will uniquely identify legitimate users and deny all others. The challenge will be to make all this new, good stuff actually usable by the masses, but thats something few people have any doubt about. The marketplaces has a way of throwing competition at a problem until issues of price, complexity and scarcity eventually go away.
So thats the good news. The next twelve months will see more sophisticated attacks, but these will be met by educated users, advanced technology and involved Internet gatekeepers. And its about time!
Claudiu Popa is a corporate security advisor and a trusted resource to business executives. He is the president of Informatica Corporation.
Informatica Security Corporation is Canada's most diversified security firm, with products and services that address information risk at every level. The company's value proposition is the elimination of threats to information security and the control of risk in the long term. Unique solutions, strong alliances and proprietary security methods make Informatica unique in its space. Practice areas include Consulting, Research, Development, Products and Training. Each of these divisions brings unique value to corporate clients who seek business asset protection, managed solutions and return on investment. With a client base of strong, progressive firms that span all industry sectors and a loyal audience, Informatica has continued to innovate for over a decade. Every year, Informatica helps protect milions of dollars in business information assets from existing and emerging threats. The company brings unique perspectives to risk management by maximizing the effectiveness of solutions including systems security, strategy & policy consulting, advisory and support services, managed security, investigation and forensics, layered security and custom training programs.
For media enquiries contact: Claudiu Popa, President, Informatica Corporation Tel: 416-431-9012 Email: Info@InformaticaSecurity.com
# # #
|
