Simon Heron – SecureNet

2009 has seen new technologies being improved, adapted and adopted on a massive scale, with over 350 million active users of Facebook, downloads of iPhone Apps recently topping 2 billion, and more that 1.6 billion devices being used to access the internet, including PCs, mobiles and online gaming consoles. There has also been an increase in the number, and sophistication, of internet threats being produced by cyber criminals.

Trojans

Trojans have been around for some time now, but the level of sophistication and the improvement in their development has been of particular concern in 2009. One’s to watch in 2010 include; ZeuS which steals user data, ranging from passwords to social networking sites to financial log-in details, Urlzone which re-writes your online bank statement to cover its tracks once the money has been taken and Clampi which steals banking log-in details. With the ability to mount man-in-the-middle attacks, users are increasingly vulnerable to account takeover without having the slightest idea that something untoward is happening.

Phishing and Botnets

We have also seen an increase in the deployment of increasingly resilient botnets (responsible for most of the spam we see these days), intelligent clients and the development of creditable emails and websites that are believable to even the most wary of us.

Secure Applications?

Also of concern is the way that some of these new technologies are being developed. Is enough time given to develop in a secure fashion? 2009 has seen numerous attacks against Twitter, Facebook and other social networking sites, which suggests that more time and attention needs to be paid to the security of these sites. Furthermore, greater consideration must be given to the data being stored, the latest Facebook fiasco where accounts were created with ‘everyone’ permissions allowing the world outside of Facebook to have access to information. It is crucial that greater attention is paid to security at all levels.

Corporate Data Breaches

The number of data breaches throughout the year has been a major concern; there is still a problem with keeping electronic data secure. These breaches not only have a serious impact on people’s security but also on developments like cloud based solutions that go beyond email and web scanning.

Targeting the Cloud

Working ‘in the cloud’ is becoming ever more popular as businesses realise the economic and environmental benefits of home working; some analysts predict that businesses using the technology will double to 9 per cent by 2012. It seems likely that, as with application development, in the rush to get to market that security will have been sacrificed to some extent.  And whilst the security of these solutions is likely to be better than the,majority of small to medium sized companies, they will present an attractive and lucrative target for hackers. The benefits of using the cloud may outweigh the risks involved, but all companies and individuals should seriously consider the risks before they make the leap.

Macs under threat

Apple sold 3.5 million Macs and 7.4 million iPhones in the fourth quarter of its fiscal year. Whilst PC’s still have the predominant share of the market, and therefore are at the greatest risk of attack, the rapid growth and the ability to connect and share data between Apple products, combined with the aura of security that surrounds Mac’s has made Apple products an attractive target for malware writers.

2009 has seen Macs increasingly targeted, with a number of malware programs being written or being effective against a Mac (with a small Mac botnet being detected in April). Although threats against Macs are likely to increase in 2010, we can still expect Windows to be the main targeted as it still holds around 90 per cent of the desktop market.

2009 has been a year of cross platform communication. People want to call, text, work and communicate over many platforms from a simple mobile device, They want to be able to plug this device into their computer at home or work and transfer their work instantly. Many also want to do the shopping, or check their bank accounts from their mobiles or computers. Unfortunately, this increased collaboration between devices, applications and platforms will mean that malware writers, who may have previously targeted PCs, now have a plethora of devices, websites and applications available to target and a diverse amount of increasingly sophisticated methods to employ with which to bamboozle their victims.

The one good trend to come out of 2009, the increase in international co-operation that has seen Egypt and the US collaborate to catch one gang, will need to be strengthened and formalized if the international community is serious about tackling cyber crime.  When a spammer can hide in New Zealand from a penalty that has been handed out in the US, the gap that is yet to be covered is revealed. We can also see this in cases like Gary McKinnon – if extradition treaties are not reciprocal or punishments not measured, then international co-operation is going to be obstructed and cybergangs, who may be three individuals in separate countries, will remain free to exploit new technology and the trust we place in it.

It’s been just over two months since more than 10,000 Hotmail passwords were stolen and posted online, now, just in case we needed a reminder about the security of our online accounts, online application powerhouse RockYou has fallen victim to an SQL attack, which has prompted Techcrunch to urge over 32 million RockYou users to change their passwords after hackers gained access to passwords and email addresses that were stored in plain text.

Unfortunately, RockYou are far from alone in storing password details in plain text, which makes it even more important for us as the user to take personal responsibility for the security of our data.

If you access any accounts online, you should follow these basic steps:

1.    Create unique passwords for each account
2.    Change all of the passwords regularly
3.    Don’t use dictionary words or overly simplistic passwords (earlier this year one site’s most popular password was revealed as 123456)
4.    Create passwords that are over 10 characters long
5.    Although it may seem original, using a dictionary word, or someone’s name and replacing the i with a 1 and the e’s with a 3, it doesn’t fool anyone

However, the service providers also have a duty of care and should examine their own security policies.

Do they store user data in plain text?
Should they introduce extra factors of authentication?

Our guide on authentication discussed the possibility of ‘identity 2.0’. The introduction of a system which would remove the need for users to think up and remember multiple, unique and complex passwords for their online services, and provide them with one online identity that all online services recognise. But, as we noted in the guide, there are also draw backs to this approach.

The one thing we can be certain about is that hacking incidents and data theft will not go away, and those users who use the same password for multiple accounts are putting themselves and their data at risk by not adopting a more stringent attitude to password security.

Managed security services have traditionally been adopted by large companies in an attempt to combat growing internet threats in the most cost effective way possible. By outsourcing security management to companies which specialise in the area, these companies can have both a successful security solution, and free up their IT departments to focus on other areas of the business. Over the last 12 months in particular, we’re seeing medium sized and small businesses taking advantage of the same benefits, as internet threats get more sophisticated and so the cost of providing expertise in-house mounts. Likewise, as a market matures, the cost of outsourcing is reducing.

I find it encouraging that SMEs are starting to take the view that their larger counterparts take – that is understanding that a short term expense may be required in order to take advantage of future benefits. Our experience, like others in our market, shows that companies that install a managed security service have saved between 20 and 40 per cent compared to those that still use in-house security processes.

SMEs face many of the same security issues as large companies, but potentially have much smaller budgets. However, once you examine the cost savings made over time, a managed security solution proves to be excellent value for money.

We discus how SMEs can benefit from a managed security solution in our latest white paper, ROI of managed security services, which is published today and free to download from the Network Box website.

Today’s news that a New Zealand national has been ordered to pay $15.5 million US dollars in fines due to his participation in an international spam network, highlights the seriousness with which authorities are starting to take malware production. But it also reveals the problems with enforcement that currently pervade the system, as the man in question will not have to pay the fine unless he sets foot on American soil.

Last month we highlighted how malware production was dispersing. The traditional centres of production (such as Brazil, the US and Korea) were starting to produce less malware, whereas other countries like India and Vietnam were beginning to produce more.

Now, Vietnam has become the number one source of spam – being responsible for more than 10 per cent of the worlds spam emails – and the UK has entered the virus production charts, being responsible for 2.79 per cent of the world’s viruses. (Brazil, the US and Korea still dominate when it comes to virus production.)

As we have said before, it is incredibly important that there is effective international policing and enforcement when it comes to cybercrime. Yes, it’s good news that governments are willing to levy such massive fines against perpetrators, but what is the use of such a fine if it the offender can simply choose not to pay it?

Although we have developed strong measures to track and trace production, and we can do a considerable amount to protect the end user, there needs to be a substantial international effort from the authorities to educate the end user and co-operate over the policing and enforcement of malware production.