Original URL: https://www.theregister.com/2014/06/03/security_overview/

Remember Anna Kournikova? Come with us on a tour of bug-squishing history

We'll also take a look at the more pernicious malware

By Tom Brewster

Posted in Security, 3rd June 2014 12:14 GMT

Brain. No, it’s not some Skynet AI drone, nor is it the blob that was always out to get the Teenage Mutant Hero Turtles.

It is the name of the first PC virus, dating back to 1986. The two Pakistani brothers, Basit and Amjad Farooq Alvi, who wrote it did not have malicious intentions: they simply wanted to scare people running pirated versions of the software they were pushing out of their shop in Lahore.

But their creation, which infected the boot sector of hundreds of thousands of floppy disks with the Brain code, was pernicious.

Malware was not designed to steal data back in the 1980s. Much of it was the work of hobbyists. The first conviction under the US Computer Fraud and Abuse Act concerned was that of Robert Tappan Morris in 1989 for the spread of the Morris worm, which he had cooked up the year before.

Morris said he simply wanted to test the security of systems attached to the embryonic internet. Again, there was little malicious intent but the fallout was nasty.

Since then, the proliferation of viruses, worms and Trojans has been inexorable. Many viruses that emerged in the 1990s were MS-DOS visual malware. The Walker, for example, created the image of a gentleman ambling across the infected machine’s screen, and the V-Sign drew a "V" in the command-line interface.

The Concept malware which infected Word files was a game-changer. Discovered in 1997, it was one of the first macro viruses that could appear on any system running Word, regardless of the underlying operating system.

Then there was Happy99, the first email worm, forerunner of further famous worms such as Anna Kournikova and iloveyou, which infected millions of machines after the turn of the millennium.

Code Red would redefine how people considered security, as it infected Windows web servers, not PC clients.

SQL Slammer, a worm that exploited a flaw in Microsoft SQL Server and caused denial-of-service incidents across the internet, was another evolution of the threat. Malware had become seriously noxious.

Stealing from the thieves

Since 2000, malware has increasingly focused on financial gain rather than just disruption. Combined with social engineering tricks perpetrated through phishing emails and social network posts, malware such as Zeus has been used to pilfer vast sums from people’s bank accounts, while other malicious software has picked up sensitive data on an epic scale.

Giant spamming botnets, from Storm to Conficker, have also caused carnage. Ransomware, such as the particularly aggressive Cryptolocker variant, has become prevalent, encrypting files and demanding payment for decryption from the infected user.

The criminal malware zenith was reached last year, with the epic point-of-sale attack on US retail giant Target, leaking data on more than 40 million credit cards.

“The most important attack [in the history of security] was the one on Target,” says Alan Woodward from the Department of Computing at the University of Surrey.

“It showed for the first time the scale that organised hacking can reach when going for direct financial gain.”

Nation states have also adopted and developed malware to steal other countries’ secrets.

The most notorious example was Stuxnet. Believed to have been created by the US and Israel the virus disrupted centrifuges at an Iranian nuclear plant by exploiting a record four zero-day vulnerabilities.

Cyber espionage has become increasingly sophisticated too, reaching its apparent apex with the Red October campaign in early 2013. Over five years, PCs, mobiles and network equipment were infected at government agencies, research organisations and nuclear groups, scooping up geopolitical intelligence and critical credentials.

“Stuxnet showed that cyber security can impinge on the real world, and suddenly the general public realised that everything from power stations to transportation was potentially vulnerable,” says Woodward.

“Red October showed that stealing information might be a motive, that it can go on unnoticed for years and that criminals might not be the only ones interested.”

Open sesame

While malware and the exploits delivering it have been developing apace, other kinds of attack have been proliferating too as crooks take advantage of age-old problems.

Dodgy password management was the catalyst for the introduction of the UK’s Computer Misuse Act.

Back in 1985, Robert Schifreen and Stephen Gold were arrested, having acquired the login details to Prince Phillip’s BT Prestel Mailbox, but they were acquitted because no computer crime law then existed.

Schifreen, now a well-regarded author and security consultant, thinks login snafus are still a major issue.

“We need to find a solution to the problem of people having to remember loads of different passwords,” he says.

“The fact that ‘123456’ is still the world's most popular password is astonishing.”

Application-layer attacks, in particular SQL injection and cross-site scripting (XSS), remain problematic, given the ease with which they can be used to force websites into dumping data.

WhiteHat Security’s 2014 Statistics Report showed XSS was the most common vulnerability class, causing problems regardless of what languages were being used.

Among the Perl sites reviewed by WhiteHat, there was a 67 per cent chance of at least one XSS vulnerability, over 11 per cent more than any other language, while as many as 10.6 per cent of ColdFusion sites had at least one SQL injection flaw.

Worries about access to applications have also intensified. In a Barracuda-sponsored survey of 400 Register readers carried out by analyst firm Freeform Dynamics, two-thirds said mobile and remote access were increasing the challenge associated with application access security.

The rise of cloud-based services and the quality of mobile attacks has made security leaders anxious about employees using tools without involving the CIO, known as shadow IT.

“Companies wanting to ensure malicious parties aren't gaining access to applications should be educating employees, partners and customers,” says Klaus Gheri, vice-president of network security at Barracuda Networks.

“The banks enforced this from an early stage with online banking and it has worked very well. The banks have learned that access controls via two-factor authentication are most effective against account theft. Technology is a backup to education.”

Problems surrounding legacy apps, including heightened complexity combined with poor service, remain. More than 60 per cent of respondents to the Freeform Dynamics survey said they were experiencing poor or unpredictable app performance.

"It is commonplace for companies to put up with poor service from legacy security providers. The reason that we see over and over is that human beings are risk adverse,” says Gheri.

“They don’t like change, especially when it could open them up to criticism. IT security is a risky business. Nobody notices when it works well but everyone from the CEO down to the call-centre staff notices when it doesn’t.

"The consequences of a poor security decision are far greater than any other in IT management.

“There are, however, risks involved in putting up with poor service. The longer you stay with an incumbent provider because of fear of change, the older your features get and the less compliant with industry standards. Often apathy leads to out-of-date technology and not getting the attention or price points you should be due.”

The network is not immune from attacks either. Thanks to hacktivists, extortionists and nation-state attackers, distributed denial of service (DDoS) attacks have grown to epic proportions. One example was a huge hit that took out internet infrastructure in Estonia in 2007.

“The DDoS on Estonia highlighted the fragility of the internet, even at a national level," says Brian Honan, CEO of BH Consulting and founder of the Irish Reporting and Information Security Service, Ireland's first computer emergency response team.

DDoS is now an everyday attack tool for criminals and others

"Using simple scripts attackers were able to force Estonia off the internet for days. Until then DDoS was not considered a major threat but it is now an everyday attack tool for criminals and others."

This year saw a new peak, with a 325Gbps DDoS on an unnamed French organisation. By spoofing IP addresses and using huge botnets, attackers were able to exploit protocols such as the Network Time Protocol (NTP) that allow for epic DDoS amplification.

One small request to a vulnerable NTP server can send back large volumes of traffic back to targets, knocking them offline. The problem is so severe that DDoS attacks are predicted to exceed 500Gbps this year.

No target too small

In this chaotic landscape, almost any business is a target. “I see the current environments of threats as more full on than before,” says Paul Dorey, director at security consultancy CSO Confidential and visiting professor at Royal Holloway, University of London.

“We have always seen attacks on the big targets like governments and banks, but now the whole supply chain is attacked to find the weakest link into corporate and personal data, no matter where it is held.

“Nobody is too small to be below the radar if they hold data worth stealing or manipulating.”

And more is to come. “It is not going to get any better soon – especially as there is much more money in selling security products than there is in training people in common sense,” says Schifreen.

The malware of the future is likely to be more destructive, while mobile threats will become more pernicious than the premium-rate SMS Trojans that make up most of the problem so far, says Jason Steer, director of technology strategy at security company FireEye.

“The Dark Seoul attack [which wiped systems at South Korean banks and TV stations] last year has really opened people’s eyes to more destructive attacks coming along. We did see a recent Zeus kit that had a wipe feature, so even crimeware that is prolific is getting this destructive capability now,” Steer says.

“Destructive is going to happen more as legislation comes in to report events. Hackers don't want to get caught so they will burn more to avoid prison,” Steer says.

“Mobile is going to become more sophisticated. It is still immature and will only improve. The bad stuff is focused on monetising but expect to see more in the espionage and surveillance field to get bigger.”

The biggest test of security chiefs’ abilities, however, will come with the rise of the Internet of Things (IoT). As embedded devices spread, operating on an automated basis and with limited security functionality, previously unconnected machines will become targets, whether they are printers or TVs.

IoT will not only expand businesses’ attack surface, they will also lead to greater complexity, meaning various controls will need to be applied to ensure trust is embedded in the machines, says Dave Raggett from the World Wide Web Consortium.

“Trust has to be earned. Services will need to provide clear privacy policies and to underpin that with strong security, both proactive and retroactive,” he says.

“Proactive security involves encryption, authentication, access control and approaches for handling privacy and provenance. Retroactive measures include monitoring for abnormal behaviour, defence in depth and mechanisms for limiting the effects of attacks.”

Dark cloud in view

IoT is also expected to change the nature of corporate security teams. Analyst firm Gartner has gone so far as to claim IoT security requirements “will reshape and expand over half of all global enterprise IT security programmes by 2020”.

It will bring about increased use of contractors and cloud providers, while businesses will seek to foster different skillsets, according to Earl Perkins, research vice-president at Gartner.

“During the early years of the IoT, skills for securing this environment will be scarce and will force many security officers to use contractor services while building expertise internally,” he says.

“Traditional security will go to hosted and cloud-based services to make way for the security teams to focus on this initial IoT security surge. Most IoT services will be heavily data-centric, so expect a surge in cloud-based data analytics to augment security-staff capabilities.

“Security teams will become more proficient in embedded software and systems, machine-to-machine communications and key management, to name a few new skills. Threat detection and response, vulnerability management, identity management and data protection – all will expand to include these new platforms and networks at scale.”

Call the experts

Many are already looking to outside help to assist with the growing pressures. Managed security services providers (MSSPs) are becoming increasingly attractive, as are pentesters helping to uncover holes in infrastructure.

In a survey of 833 security professionals, vendor Trustwave found 36 per cent already use MSSPs and 46 per cent plan to do so in the future.

Not that services providers can always be trusted, however. “There is a lack of maturity in that market as well,” says Dorey.

“Better standards of certification of security services and individuals, such as Institute of Information Security Professionals accreditation, is essential to help the less sophisticated buyer. Most companies will aim for a blended capability of internal and external security expertise.”

With the number of threats becoming unmanageable and traditional perimeter defences failing to repel new ones, the shift to increased use of MSSPs and cloud-based security is already in full swing, according to Honan.

Even the likes of the NHS have lumped money into the cloud, as seen in the health service’s deal with Zscaler to detect threats.

But providers are being trusted only with the most boring parts of security, as security officers look to involve themselves in strategy rather than getting bogged down in rudimentary technical tasks, according to Honan.

“I see companies looking to outsource a lot of their mundane and time-consuming tasks to third parties to enable their own experts to focus on the threats to their business,” he says.

“Risk management and other strategic tasks should remain in-house. It is too vital to the business to outsource such functions to a third party.”

Some are reluctant to give up any control whatsoever, especially since Edward Snowden’s revelations regarding NSA and GCHQ access to companies’ information.

“Anything security-related is best kept in house. Period,” says Schifreen. “Ask Snowden if you don't believe me.” ®