In-Depth

A Tough Year that Could Have Been Worse

Security admins faced a host of vulnerabilities and new attacks in 2010, but the nightmare scenarios that could've kept security pros up at night blessedly didn't come to pass.

In 2010, things could've been worse on the information security front.

There were the expected data breaches, to be sure, as well as the emergence of novel -- if not exactly innovative -- attack-types, an unsurprising recovery in both the volume and malignancy of spam, and at least one worrisome worm.

Some of the nightmare scenarios that could have kept security pros up at night -- for example, a rise in GSM-oriented cellphone cracking; the emergence of a massive new worm on the scale of a Code Red or SQL Slammer; or the discovery of a terrifically costly data breach -- didn't come to pass.

There was nothing quite like the series of attacks that -- in July of 2009 -- crippled federal organs in both South Korea and (to a lesser extent) the United States. There was nothing quite like the early-2009 data breach at Heartland Payment Systems that compromised as many as 100 million credit card numbers.

Moreover, there were no truly blockbuster worms or viruses -- none, at least, on the scale of Koobface or Conficker (circa 2008), to say nothing of MyDoom (circa 2004), SQL Slammer (circa 2003), or Sobig (also 2003).

In an information security space that seems perpetually to be perched the very precipice of disaster -- with dire warnings about the consequences of this or that potential exploit -- "could've been worse" isn't such a bad thing after all.

Although 2010 did produce "Stuxnet," the first malware worm designed to target embedded or control systems, and that (rightly) worries some folks.

Cracking Control Systems

Embedded or control systems -- what computer engineering types dub "supervisory control and data acquisition" (SCADA) systems -- used to be off-limits to crackers, chiefly because most such systems ran homegrown or proprietary operating environments. Crackers overwhelmingly target Windows at least in part because Windows still powers the overwhelming majority of desktop computer systems, as well as a substantial plurality of server configurations.

Windows increasingly powers SCADA systems, too.

This helps explain how Stuxnet came to be. It affects the Windows-based WinCC/PCS7 control systems manufactured by Siemens and uses a total of four zero-day exploits to install a rootkit on compromised systems. Stuxnet's purpose seems to be as intriguing as it is malicious: according to researchers with security specialist Symantec Corp., it's able to steal design and control files from a source database. It also has the ability to make changes to a SCADA system and to effectively cover its tracks.

On top of this, it uses a built-in cryptographic facility. For these and other reasons, Symantec classifies "Stuxnet" as a highly sophisticated worm, describing its use of four zero-day attacks as "unprecedented."

Its very sophistication has some researchers urging caution, however. After all, most of the compromised systems -- "compromised" in this context typically denotes a facility-wide infection -- were situated in Iran, which has come under international scrutiny for its alleged nuclear weapons programs.

Late this year, intelligence analysts suggested that Stuxnet had actually disrupted Iran's uranium enrichment activities. This isn't necessarily a far-fetched conclusion. On his company blog, Symantec researcher Eric Chien suggested that Stuxnet had the ability to change "the output frequencies and thus the speed of the motors for short intervals over periods of months."

This doesn't just sabotage what Chien called "the normal operation of the industrial control process" -- it likewise complicates the work of uranium enrichment, which uses spinning (motor-driven) centrifuges.

Regardless of Stuxnet's purpose, its existence is something of a watershed event in information security: it's the first worm that explicitly targets mission-critical control systems. Will 2011 see a rash of similar attacks?

Targeted Mayhem

Targeted attacks are nothing new, but in 2010, attacks that target specific job roles, vertical markets, or (in a new, business-related twist) topical global events increased markedly. In the past, spammers generally contented themselves with targeting specific job roles or specific business subject-matter areas.

This year, however, spammers exploited interest in the World Cup to perpetrate a range of different targeted attacks -- including some aimed at specific verticals in specific locales -- such as chemical, financial services, and manufacturing interests in perennial World Cup powerhouse Brazil.

By October of 2010 -- just in time for the crucial Christmas buying season -- spam malware was targeting retailers, a relative first. Previously, retail-oriented targeted attacks accounted (on average) for 0.5 percent of all cracking activity; in October, retail-centric attacks counted for a full one-quarter of targeted attacks.

The lesson isn't so much that retail is the next battleground in targeted attacking, security researchers warned; it rather demonstrates -- once again -- that attackers are as opportunistic as they are determined.

Messaging security specialist MessageLabs (a subsidiary of Symantec) cites one particularly clever kind of targeted effort -- an attack that used information harvested from social networking sites. "In one organization, 324 attacks against 88 employees were spoofed from senior executive e-mail addresses, and were sent to employees at the same company," explained a MessageLabs report.

"[T]he details of many of the executives' names who were used could be found on professional social networking websites. It seems highly likely that the attackers performed some initial reconnaissance using these individuals' personal profiles on professional social networking sites."

Breachers Get Organized

Although we didn't see anything comparable in scope or severity (to say nothing of cost) to the notorious data breaches at Heartland Payment Systems or Horizon Blue Cross and Blue Shield of New Jersey (which occurred in 2009 and 2008, respectively), 2010 wasn't completely glitch-free when it comes to data breaches.

In November, for example, almost 400,000 health-care records were affected when an internal database maintained by Puerto Rico's government-sponsored Health Insurance Program (HIP) was accessed by crackers seeking financial information. The attack involved the unauthorized use of legitimate user IDs and was believed to have been carried out at the behest of a competitive organization.

Another big-ticket attack -- involving some 230,000 students and as many as 30,000 employees -- targeted the Houston Independent School District in October. Both payroll and academic information may have been compromised.

All told, the Privacy Rights Clearinghouse logged almost 540 public data breaches through the first 11 months of 2010.

Meanwhile, would-be data breachers are getting both more resourceful and more organized. That's "organized" as in RICO -- the Racketeer Influenced and Corrupt Organizations Act. According to the 2010 Verizon Data Breach Investigations Report -- which the telco giant compiled with assistance from the United States Secret Service (USSS) -- an increasing number of data breaches are instigated by organized cracking efforts. Organized crime could be responsible for as much as 85 percent of breach activity, Verizon estimates.

Moreover, would-be data breachers are getting more sophisticated: in many cases, they're using both insider access and social engineering techniques.

The good news, according to both Verizon and the USSS, was that the number of data breaches in absolute terms was down.

It almost certain could have been even lower. In 2010, as always, most breaches were avoidable: just 15 percent of data breaches involved "highly difficult" exploits, according to the Verizon report; what's more, the overwhelming majority (87 percent) of victims failed to detect evidence of breaches in their log files.

Must Read Articles