Security lessons not learned will haunt us in 2009

• Tags:
• Social Engineering,
• Malware,
• Security,
• Botnets

Mary Landesman, ScanSafe

Published: 12 Jan 2009 13:48 GMT

• 
• 
• 
• 
• 

...tens of thousands of new variants of malware each month, in effect launching a denial-of-service attack against signature-based vendors.

Where response times to new malware used to be measured in hours, now it can be days, weeks and even months before antivirus software is updated. Still, 80 percent is vastly superior to zero percent and thus signature-based antivirus continues to play a critical role. It cannot, however, continue to be perceived as a standalone defence in today's malware wars.

In A Case-Study of Keyloggers and Dropzones, authors Thorsten Hole, Markus Engelbert and Felix Refiling of the University of Mannheim studied two families of keyloggers between April and October 2008. Through their honey net, the authors discovered 300 dropzones and were able to fully penetrate 70 of those.

They uncovered 5,682 stolen credit-card numbers resulting from the attacks, and an estimated loss of funds of almost $1.7m (£1.2m). Also discovered were "10,775 unique bank-account credentials", 149,458 email credentials, and 78,359 stolen social-networking credentials. The black market in stolen data provides millions in revenue for criminals and exacts a high financial toll on the economy.

Growing trend
Threats like these have been increasing exponentially month on month. There was more web-distributed malware in July 2008 than in the whole of 2007. October 2008 was 21 percent worse. November was as bad as October and December hasn't shown much improvement.

If that trend continues — and there's no reason to believe it won't — 2009 may prove a pivotal year for the future health and viability of the web. Before you write that off as doomsday marketing, consider the $21.2bn internet advertising economy that depends on the acceptance of third-party scripts. Add in the potential economic impact of intellectual property theft, credit-card fraud, and identity theft and the magnitude of the problem becomes clearer.

My hope for 2009 is that we stop viewing these issues as simply a malware problem. The web is under attack, as are corporations and consumers.

Today's malware is not about digital graffiti or prankish control of computers. It's about stealing property — yours, mine, and ours. The criminals have advanced their technologies, using the power of the cloud to their own advantage.

Collectively, we need to advance our own protection mechanisms, combined with user education and criminal sanctions, to combat this threat and retake the web.

Happy new year.

Mary Landesman is the senior security researcher for ScanSafe.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit