Symantec regularly produces security trends reports; a useful service in my view, because it’s backed by a good deal of data gathering. Yesterday I discussed the End of Year 2007 Summary Report, with Alfred Huger, Symantec’s VP of Software Development. His first comment on the summary was “there’s not much that’s particularly surprising here”.

Not for him or me perhaps, but maybe there will be for you. Here’s a quick summary, interlaced with our comments and observations.

  1. Data Breaches. Yes, TJX dominated this area of irresponsibility with a record breaking 45.7 million identities compromised, although the UK’s HMRC (Her Majesty’s Revenues and Customs) put in a spirited showing late in the year by losing 25 million records, which included bank account details. It was the worst year ever. Alfred remarked that the educational sector is actually the worst for data loss (if you count number of incidents).
  2. Spam. Let’s hear it for the spammers, because 2007 was yet another record year for spam. And the spammers didn’t sit back on their laurels, either, they innovated with the introduction of PDF spam. There was also the nuance of using greeting-card spam to deliver the Storm Worm. It’s always nice when someone puts something a little special “just for you” in a greeting card.
  3. Phishing. Phishing continued to be a popular sport in 2007. Symantec detected an 18 percent increase in unique phishing sites during the first half of the year. Phishing tookits contributed to the phenomenon (read on).
  4. Professional Attack Kits. If you want a comprehensive run down of hacker tools and technology read 10 Reasons Why The Black Hats Have Us Outgunned. Now, add in the fact that MPack, a Russian malware kit was released in December 2006. It costs $500 to $1,000, which sounds expensive, unless you think of it as just 25 - 50 stolen identities. MPack is known to have been used in an attack on the Bank of India web site and it is estimated to have infected over 100,000 PCs with keyloggers. In the first half of the year, Symantec observed that 42 percent of phishing Web sites were produced by just 3 phishing toolkits. Inferior phishing software just can’t get traction any more.
  5. Vulnerabilities for Sale. WabiSabi Labi opened an auction-style system for selling vulnerability information to the highest bidder, sparking controversy and discussion about “responsible” versus “full” disclosure. Vulnerabilities were already for sale in private. It isn’t yet known whether this initiative is helping, hindering or making no difference.
  6. Bots. The extent of the botnets is unknown and can only be estimated. However, the very successful Storm Worm was specifically designed to create botnets, it has created thousands and, actually, it’s still doing the rounds. A Russian botnet was responsible for the attempt to disconnect Estonia from the Internet earlier this year. (And all because Estonia moved a statue - I kid you not). Botnets have become rented resources in the Black Hat market.
  7. Exploitation of Trusted Brands. The bad guys exploit trusted Web environments. Alfred and I had a long conversation about this. The sad truth is that only 18 percent of attacks now happen through the use of exploits (that’s Symantec’s figure). It’s just a lot easier and more effective to use social engineering techniques. The spoofing of trusted web sites can be thought of as part of this game. Despite the fact that some technical tricks may be employed, the point is that the user’s trust in the brand is exploited. Alfred tells me that the Black Hats are now devoting much more time to gathering specific data on people in order to prey on their trust. He expects that soon scams using social networking sites will become common. I’m inclined to agree. Why wouldn’t it happen?
  8. Web Plug-in Vulnerabilities. Web plug-in vulnerabilities and exploits are becoming more common. Exploits using ActiveX controls, comprise the majority of plug-in vulnerabilities. Alfred points out that hackers are now building plug-ins that run in the browser only. Some are only there to steel CPU cycles. Symantec has detected well engineered malware that limits its use of CPU and bandwidth so that the user will never detect that his/her resources are being used.
  9. Vista. Attackers quickly found holes in Microsoft Vista, with Microsoft releasing 16 security patches so far in 2007. Symantec is not impressed with Vista, even though it admits it is less vulnerable than XP. Alfred agreed with me that Microsoft could have done more.
  10. Virtual Machines. Symantec has noted the rise and prevalence of virtual machines and sees this as a future source of security pain. Alfred and I found ourselves in violent agreement about this. As usual, security is an after-thought. So far though there have been no direct attacks on hypervisors (to anyone’s knowledge).

So there you have it. It has been a disappointing year, except for the Black Hats, who are increasingly well organized and better armed. If you want more details, you can go direct to Symantec for it.

  Subscribe to HaveMacWillBlog in a reader