Web security predictions for 2008

ScanSafe has issued its 2008 security threat predictions. Topping the list – a continued growth in malware hidden on Web 2.0 sites and heightened security risks related to the growing number of remote and roaming workers. The full list of predictions includes:

1. Web 2.0 Will Continue to Fuel High Profile Attacks

The explosion in popularity of Web 2.0 applications has made Web 2.0 sites an increasingly rich target for cyber criminals. MySpace alone boasts more than 200m users. Web 2.0 applications will remain a key source of Web-based malware in 2008 and beyond. Examples include:

• Social networks present continued risks to corporate reputation and data leakage: Social networks, blogs, wikis and other collaborative sites pose an ongoing risk of employees deliberately or inadvertently discussing proprietary corporate information, office gossip or posting inappropriate information. For example, in 2007, the CEO of Whole Foods posted disparaging comments about a competitor on a financial blog.
• Gaming and other virtual environments become a growing target: The continued popularity of massive multiplayer online games (MMOs) like World of Warcraft, City of Heroes, Ragnarok Online, and other MMOs will continue to fuel a black market economy in in-game currency and rare items. This economy will be supported through the use of backdoors, bots, and password-stealing Trojans that target the users of these games, compromising their account details and trafficking the stolen goods to less talented players seeking instant status.
• Second Life sites emerge as a hacker target: Second Life and other avatar-driven virtual worlds will likely emerge as targets for pranksters or malware authors. Second Life residents logged 24m usage hours in September 2007, according to an October Reuters report on the virtual 3-D world. Residents have already been plagued with bots such as the CopyBot, which fleeces the virtual avatar of items they have purchased or developed in-game.
• Malware authors will continue to use online advertising to seed attacks: In 2007, ScanSafe identified numerous instances of malware hidden in banner ads, including a Trojan-laced banner ad displayed on high profile Web 2.0 sites such as MySpace and PhotoBucket. The ad required no user interaction to activate infection. The complex network of ad providers and ad affiliates has made it easy for attackers to surreptitiously insert malware in online ads.
• Social engineering tactics evolve with Web 2.0: User communities have sprung up around today’s interactive and highly social websites. These communities bond based on common interests; physical proximity boundaries are removed and this paves the way for trust relationships between virtual strangers. As a result, malware writers are able to bait a captive end user audience that is desensitised to invites or links from “unknown” user names based on their history of accepting links from “Friends of Friends” on sites like Facebook and MySpace.
• Hackers use implicit trust of known and brand name websites: Additionally, the trust relationship the user has with the site itself may cause them to automatically trust content coming from that site. For example, a user would understandably be more likely to allow ActiveX controls or allow javascript from a site which they visited frequently or a site with a well known brand name. If the site has been compromised in some way, either through exploit of a vulnerability or via third-party delivered content, this blanket trust can lead to so-called drive-by infections – even from otherwise perfectly legitimate sites.

2. Remote and Roaming Security a Mounting Pain Point for Businesses

The workforce has expanded well beyond the four walls of the office. According to figures from the UK Office of National Statistics, about 4m Brits work from various locations outside the office including home, hotels, airports, cars and other hotspots. As more employees are required to work remotely, and as many companies offer telecommuting as a job perk, it has become increasingly challenging for IT administrators to enforce policies for appropriate use of corporate resources – including use of the Internet on corporate-issued laptops. While employees enjoy the benefits of being un-tethered from the office, IT departments are left to address the unique security challenges that the roaming worker and an increasingly elastic network perimeter present, and that are beyond the scope of a VPN tunnel.

3. Continued Pressure to End Public “WhoIs” Information

Expect the heated debate over whether or not to continue to make “WhoIs” database information—the information that ties an Internet domain name to the owner of the site—public to continue in 2008. Privacy advocates and others are urging ICANN, the international body that overseas domain names, to end the ability for anyone to do a “WhoIs” lookup, arguing it infringes on website owners’ privacy. Current methods provide a means for legitimate users to suppress public display of their private information. The real beneficiaries of the removal of WhoIs will be the attackers themselves. As criminal profits continue to soar on the Internet, these same entities will likely actively lobby for and pursue changes that create an Internet environment even more conducive to carrying out online crime.

4. Growing Underground Market for Warehousing and Selling of Stolen Database Information

In 2007, data theft hit new records. Discount retailer T.J. Maxx, parent of T.K. Maxx, reported data theft involving 45.7m credit and debit cards. In late November, the Government announced that the complete personal data of 25m individuals had been inadvertently lost – the largest data loss in this country’s history. Given the frequency of such large-scale data vulnerabilities, expect to see a growing underground market for confidential personal information. ScanSafe predicts an increase in the selling and servicing of stolen contact databases, mimicking what is seen in ‘legitimate’ data warehousing.

5. “Storm Worm’ Hangover Continues Well Into 2008

The Storm Worm dominated the security landscape in 2007 and its effects will continue to be felt in 2008. However, there have been several misconceptions about Storm. Contrary to popular belief, the Storm family of threats evolved in 2006. In January 2007, one of the variants was spread in an email bearing the subject line “230 dead as storm batters Europe.” This email coincided with a very real and deadly storm inEurope, earning its nickname “Storm worm.” The real take-away from Storm is that it is a well thought out, extremely organised series of attacks that have led to the creation of one of the largest botnets, estimated to be well over 1.5m infected machines at any given time. Expect this botnet to be used by cyber criminals in 2008 and beyond.