More Creative, Crippling Internet Threats Predicted in 2007
Sophisticated hackers will devise new, creative ways of sabotaging systems in 2007, experts told us. Expect more dangerous phishing scams and targeted attacks and other devastating threats, they said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Security provider Symantec is “still seeing a huge number of infections, and the volume of threats has not gone down,” said Oliver Friedrichs, Symantec dir.-emerging technologies & security response. Some users are getting the message. “On an individual level, people get it. But when it comes to an organization implementing suitable controls I think we have a ways to go,” said Robert Richardson, dir- Computer Security Institute (CSI).
In 2007, “significant organizations” will “invest in new measures” and even the govt. may get “its house in order,” Richardson said: “They've made some strategic mistakes. It’s fair to say that they haven’t really focused the attention on cyber security that they need to.”
The new year will see a “departure from widespread to more focused, targeted attacks,” Friedrichs said. Instead of phishing randomly, scammers research companies, sending “very targeted” e-mails from trusted accounts, Richardson said. The message could contain keystroke-monitoring malware and “an “entire cybersecurity system could unravel.” Some attacks target govt. contractors and “key tech companies,” Friedrichs said: “Many appear to come from foreign nations.” Security experts don’t “have a good handle on the scope of these attacks,” or how much they cost affected businesses because these hackers are “flying low,” Richardson said: “Social engineering remains the tool of choice in various guises. The attempt to get you to click on a really bogus looking link is passe.” CSI may try to gather data on these targeted attacks in 2007, he said.
Phishers are “transcending technology boundaries,” said Friedrichs. A scammer will send text messages telling users to go to a certain site and unsubscribe from a paid service they never ordered, he explained. The tactic makes it “very difficult not to go to their site,” he said.
Financial institutions are adopting new user verification methods to suit an FDIC 2-identification factor mandate, said Richardson. Some banks ask users to pick an image or provide their own; the image must be chosen on login for access to an account. For big transactions, customers can supply a single-use password. But even these steps aren’t foolproof, he said. Sharp hackers still can capture the picture. “As a whole, the Internet doesn’t have this problem solved,” he said.
Last week’s Sony settlement (WID Dec 21 p1) highlights rootkits among an increasingly prevalent class of “harder to remove ’tough threats'” Friedrichs said. These threats are so hard to find even an intermediate user searching for one on a task manager wouldn’t find it, he said. Detection of “tough threats” is one area that “really separates a weak security solution from a strong one,” he said.
Users will discover more zero-day exploits hidden in new products, often without a vendor’s knowledge, Friedrichs said. Microsoft this year battled such problem with Vista, Word and other products. It can take up to a month for manufacturers to issue a patch or update, he said.
Despite the bad news, reports of cyber gangs recruiting a new generation of hackers may be overblown, Richardson said: “There’s a more hardened criminal element at work,” he said, adding that as yet there are no “cyberterrorism training schools.” Friedrichs agreed that this “doomsday scenario hasn’t played out yet.”