In-Depth

The Year in Security and the Fresh Problems Ahead

All things considered, 2008 was a quiet but industrious year on the security front.

• By Stephen Swoyer
• 12/16/2008

All things considered, 2008 was a quiet but industrious year on the security front.

Although there weren’t any blockbuster exploits -- of SQL Slammer-, MyDoom-, or Storm Worm-type fame, at least -- there was plenty of malicious activity in 2008. Spam crested -- and then declined precipitously. Trojans popped up at an unprecedented pace -- one researcher claimed that it was detecting almost 80 Trojans per day -- while identity thieves had a banner year, too. As 2008 draws to a close, social networks, Web applications, and other Web 2.0-enabled sites are starting to attract increased interest from crackers, too.

Take Trojan activity, for example. According to security researcher MessageLabs (which is now a part of Symantec), two distinct types of targeted Trojan attacks emerged -- the most frightening was a limited e-mail attack that, by targeting select individuals inside an organization, attempts to pass itself off as an ostensibly sincere communication. (The e-mail messages used in this attack contain content that might reasonably be relevant to its intended recipients.)

It’s all part of a bona fide trend, Message Labs says: attackers are getting savvier, increasingly directing targeted attacks against businesses and organizations. Even as savvy crackers discover that less is more -- one such targeted attack was sent to only 17 recipients, MessageLabs says -- others are using the same brute-force methods that they’ve traditionally applied to spam. The upshot is that Trojan activity is skyrocketing. In 2005, for example, the company detected one or two Trojans per week. That accelerated to one or two per day in 2006, 10 per day in 2007, and -- in 2008 -- 78 Trojans per day.

Elsewhere on the exploit front, it was a banner year for identity thieves. By August the tally of identity theft breaches for 2008 had already surpassed that of 2007, according to the Identity Theft Resource Center (ITRC). That’s almost certainly just the tip of the iceberg. “The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events,” says the ITRC in an online report. There were, of course, the requisite mass breaches -- chiefly via lost laptops, misplaced or stolen digital records, inadvertently published e-mail links, and accidentally Google-ized internal data sources.

Got ID?

Some big names fell prey to data loss of some kind this year. HP, for example, misplaced a laptop computer that contained several thousand employee records. (As of late December, no exposed records had yet been reported in that case.) Starbucks, on the other hand, was the victim of a stolen laptop -- one that unfortunately contained information pertaining to 97,000 of its employees and business partners. Lastly, there was AIG -- yes that AIG -- which was unsuccessfully blackmailed by a former employee. The thief stole a computer server that housed information concerning 900,000 -- yes, 900 thousand -- policy holders. In the latter case, the AIG employee was apprehended by the Federal Bureau of Investigation.

The ITRC and other researchers expect identity theft reports to increase throughout 2009. Desperate times, desperate measures, and careless data stewardship all but ensure that will be the case.

The Soon and Inevitable Return of the Toxic Spammer

Spam surged in 2008 -- in spite of a couple of high-profile anti-spam successes. According to MessageLabs -- which, admittedly, has an interest in highlighting both the volume and the damage caused by unwanted mass mailings -- spam accounted for more than 81 percent of all e-mail traffic last year. The tactics of successful spammers changed with the times, too: in 2007, experts say, attachment-based spam proliferated; in 2008, spammers opted for CAPTCHA hacks (targeting those "type the text you see in the box" fields) or news-related spam exploits. The battle against spam, it seems, is irreducibly Darwinian: spammers, in spite of the best-laid plans of security researchers and law enforcers alike, keep finding new ways to do their things.

To be sure, the year saw a few high-profile spam-related successes. For example, “bulletproof hosting” provider McColo Corp., which catered largely to spam and malware operators (along with other unseemly clients) had its upstream connection terminated in November, leading to an unprecedented drop in spam volumes.

McColo was actually the second of two “bulletproof” providers that were shut down last year. A couple of months earlier, spam haven Intercage went offline. The latter’s disappearance served only to slightly depress spam levels; McColo’s closure, on the other hand, was temporarily cataclysmic.

According to Message Labs, Spam Cop, and other researchers, spam levels dropped by as much as two-thirds after McColo went silent. It’s a drop that, to a surprising degree, was sustained through much of November.

Don’t expect it to last. For one thing, researchers note, spam volumes traditionally increase at the end of the year (coinciding with the Christmas shopping season). There’s profit aplenty in spamming -- even if the return-on-investment (i.e., bites per tens of thousand, hundreds of thousands, or even millions of messages sent) is infinitesimally small. More to the point, a handful of other “bad actor” hosting providers -- identified by security researchers at HostExploit.com as Cernel, Hostfresh, CWIE, and Softlayer -- continue to peddle their services (see http://hostexploit.com/downloads/Hostexploit%20Cyber%20Crime%20USA%20v%202.0%201108.pdf).

“[U]sers [need] to continue to be on guard against spam and malicious code attacks as attackers have traditionally tried to leverage festive session and topical global events to lure users into opening and responding to their messages,” warned Vincent Weafer, a security researcher with Symantec, in the aftermath of the McColo shutdown. “They should ensure that they continue to adopt security best practices including have updated antivirus and antispam protection as well has installing critical security patches on their computer systems as soon as they are available.”

Jumping Jehoshaphat, Batman: Web Applications Are Vulnerable, Too!

The success that spammers had in breaching CAPTCHA measures resulted in an unprecedented cracking spree in the Web application space. According to Message Labs, for example, spammers are increasingly using Web-based e-mail and application services to generate “massive” numbers of new accounts.

One upshot of this is that malicious activity associated with otherwise benign Web applications (e.g., Yahoo widgets, Google Apps, and other free, CAPTCHA-protected services) will increasingly pose headaches for security administrators in 2009. “[The] popularity of Web-based and hosted applications as well as these domain names being the unlikeliest to be blocked by IT departments … [make] Web-based services the easiest to crack,” a bulletin from MessageLabs advises.

The vulnerability of Web applications also implicates the vulnerability of social networks. Given the huge popularity of franchises such as Facebook.com, Twitter, Digg, Memeorandum, and other social sites, it’s a lead-pipe cinch that crackers will be on the attack in 2009. They’ve got an especial impetus for doing so, security researchers warn: such sites are goldmines of personal information and can also help attackers enhance their social engineering tactics. What fresh problems are in store for 2009? Attack activity. Lots of attack activity. With this in mind, the prescription for security professionals is a no-brainer: buy coffee, aspirin, and bourbon in bulk over the holidays.