Monday, June 13, 2011

Puddles

I believe that we have reached a saturation point.  You know how, after heavy rain, the ground can’t absorb any more water and it begins to pool on the ground? We’ve reached that point with security incidents.
 
The bad guys just can’t pump out new malware any faster. Check out the Norton Cybercrime Index.  The trends for 2011 are pretty much flat. The explosive growth in malware we’ve seen in the previous 10 years is just not sustainable. Maybe new hacker tools will come along, new propagation methods, or more platforms, or more people to infect.  But for now, things are beginning to stagnate.  
 
This is not to say the problem is going away.  There were 286M new malware variants in 2010. 286 million! But even that mind-blowing number reflect a slow down.  It’s more than the year before, but not the 100% increase we've reported in previous years.  It’s not like the growth we use to see.
 
So how to explain the nearly endless parade of security incidents we've seen in the last few weeks?  Well, in some ways, these are the puddles forming on the ground.  It’s not that rain has gotten harder, it’s just that the ground has stopped absorbing them all.  Some of what we are seeing does reflect the bad guys attacking new platforms and finding new people to infect.  But it’s mainly puddles.  And the fact that many of these incidents show how much higher the stakes have become.  
 
Before declaring a trend one way or the other, it's worth understanding the types of security incidents we’ve been reading about in the last few weeks.  While there have been a lot of incidents, they are not all the same.  What we’ve seen these past few weeks break down into three well-known categories: massive attacks, targeted attacks and hacktivism.
 
Massive attacks - Fake AV has been around for years. It remains the most popular type of massive attack.  At $49.95 per victim it’s a profitable business.   News coverage here does not reflect a major increase in these attacks; it reflects the novelty of these attacks now being directed at Macintosh computers. 
 
It’s called a “massive attack” because the bad guys are trying to infect as many people as possible.  They know only a small percentage will fall for their scam, so the best way to increase profit is to increase the number of computers targeted. In their search for new targets, eventually these crooks were going to start looking at the Mac. So the appearance of fake AV on Mac was inevitable.  If you were shocked when this happened you should prepare yourself.  These things will be showing up on mobile phones next.
 
Targeted attacks - Hardly a new occurrence.  But two events in 2010 started to increase the conversation about targeted attacks.  The first was Stuxnet.  The second was the phrase advanced persistent threats.  I’m pretty ambivalent about the term APTs.  The phrase has certainly captured people’s imagination and if it makes it easier to have a conversation about security because of the phrase, I’m all for it.  But the majority of the attacks being labeled APT are frankly not very “advanced” and often not that “persistent.”  “Targeted attacks” may be harder to create an acronym from, but it’s a better description.  Take the recent compromise of webmail accounts that was widely reported on in the media..  It certainly wasn’t an advanced type of attack; it was spear phishing.  There wasn’t even malware involved. What it was, was targeted - and that’s what got our attention.  That, and the fact that the affected company told us what happened.  Credit to Google.  They seem to have started the trend in 2010 with Hydraq, of companies talking publicly about attacks targeted at them.  This has benefited us all.  They’ve built awareness about these types of threats and allowed security companies to have meaningful conversations with their customers about targeted attacks.  It’s no longer a discussion about the theoretical.  The real risks of security incidents are now a lot clearer to businesses.
 
So the trend here is not an increase in targeted attacks, but an increase in companies willing to talk publicly about them.
 
Hacktivism - Crunch together the words hacking and activism and you get hacktivism.  My spell checker hates this phrase almost as much as I do.  But, until a better one comes along, it will have to do. The phrase was created in 1994; it’s been going on a lot longer than that.  A hacktivist’s main form of expression used to be in defacing webpage, spamming and the occasional DDoS (distributed denial-of-service) attack. 
 
The last major example of this was a DDoS attack targeting payment processors, online retailers and others.  This happened last  December in protest against sites that stopped handling transactions for Wikileaks.  The DDoS attacks were generally considered ineffective, but I think they were a major success.  They may not have shut down any site for any significant period of time.  But they generated an enormous amount of publicity.  And isn’t that really the goal of hacktivism?
 
So, if there is any type of security incident seeing a significant rise, it would be hacktivism.   The group responsible for the December incidents has since moved on to another highly publicized attack, breaking into a security company and posting all their email online.  Now a multinational gaming and entertainment company has felt the sting.  User passwords were stolen, but not for profit.  They were posted on line to generate publicity.  And this has worked brilliantly.  It’s worked so well that other hackers jumped in and launched their own attacks against the same company.  These created new news, which encourages other hackers to… It’s a vicious cycle.
 
So, is the threat landscape worse than before?  Yes.  But, we’ve been saying that for years. It’s reached the point of being a cliché. What’s new is that there is greater visibility to these threats.  The good news is that these events are finally getting the attention they deserve.  The bad news is that these incidents make clear the stakes are higher than they’ve ever been before.  

By: Kevin Haley