Remember when the computer viruses and worms that infected millions of computers and brought networks to their knees were authored mainly by smart-but-sociopathic teens and twentysomethings? Those, it turns out, may have been the good old days.
Attacks have become less widespread, but they're more targeted, often hitting rather than increasingly protected operating systems (see BW Online, 5/02/05, "Probing Your PC’s Weak Spots"). Instead of kids writing attack code for nihilistic glory, attacks increasingly are sponsored by criminals attempting to steal information, whether corporate data or user account information that can be used in fraud (see BW Online, 5/10/05, "Clicks That Make PCs Sick").
That's the conclusion of a new survey of the top vulnerabilities during 2005 by the Bethesda (Md.)-based SANS Institute and two government-backed security agencies, US-CERT at Carnegie Mellon University in Pittsburgh and Britain's National Infrastructure Security Coordinating Centre.
COMPROMISING POSITIONS. One of the report's more distressing findings it that software programs designed to protect data have themselves become the targets. "We are seeing a trend to exploit not only [Microsoft (MSFT
)] Windows, but other vendor programs installed on large numbers of systems," says Rohit Dhamankar, lead security architect for TippingPoint, the security division of 3Com (COMS
) and the lead SANS participant on the assessment team.
"These include backup software, antivirus software, database software and even media players. Flaws in these programs put critical national and corporate resources at risk and have the potential to compromise the entire network."
The trends have a number of implications for computer security, whether at home, in small offices, or large enterprises. One is that viruses, worms, and the like, which used to be mainly a nuisance for consumers, increasingly carry the threat of real financial loss. "The attacks are more targeted on stealing consumer information," says David Cole, director of product management for Symantec's (SYMC
) security response unit.
NEW RISKS. It's risky to assume you are safe simply because you always install the latest operating system patches. You have to make sure that programs from multiple vendors are up to date. Fortunately, more programs, such as Adobe Acrobat Reader and Mozilla Firefox, both of which came under attack this year, come with their own automatic update systems. And because these applications run on different kinds of systems, you cannot assume you have little or no risk because you use Apple's Mac OS X or the Linux operating system rather than Windows (see BW Online, 10/24/05,
"Why Worms Shun Apple's OSX").
Of the 20 top vulnerabilities highlighted by the report, nine were designed to attack multiple platforms. Among consumer products, file-sharing programs such as eDonkey, KaZaa, and BitTorrent are among the leading targets. The main problem here is that the files distributed by the systems can be dangerous vectors of infection.
BLAME THE MEDIA. Adding to the dilemma, major media players, including Windows Media Player, RealPlayer, and iTunes, all turned up in 2005 with vulnerabilities that would allow the installation of hostile programs, such as those that monitor keystrokes and can steal passwords and other account information. So if the fact that unauthorized downloads are illegal and increasingly targeted for lawsuits by content owners isn't enough, the security risks serve as an additional reason to steer clear of file sharing.
Another disturbing trend is increasing attacks on Web servers. In the worst case, this can create compromised sites that launch attacks on visitors by exploiting vulnerabilities in browsers. Web sites using the popular PHP scripting languages proved especially vulnerable this year.
Beyond Web servers there has been an increase in attacks on the infrastructure of the Internet itself. Three of the top 20 vulnerabilities involved networking products, including devices from Symantec, Juniper Networks (JNPR
), and Checkpoint Software Technologies (CHKP
) that are designed to help secure networks.
PATCH IT UP. One lesson from the report is that the sellers of a broad range of hardware and software may have to follow the lead of companies such as Microsoft and Apple (AAPL
) and provide mechanisms to keep their systems up to date automatically. The increasing speed with which the bad guys attack vulnerabilities calls for an increasingly agile response.
"The bottom line is that security has been set back nearly six years in the past 18 months," says Alan Paller, research director for SANS. "Six years ago attackers targeted operating systems, and the operating system vendors didn't do automated patching. In the intervening years, automated patching protected everyone from government to grandma. Now the attackers are targeting popular applications, and the vendors of those applications do not do automated patching." Looks like applications suppliers have their work cut out.