Security Trends Archive
McAfee Labs: "2016 Threats Predictions"
The trend: This year, attacks against popular applications, large enterprises and government agencies, payment systems, and cloud services platforms will increase. A most common method used by the attackers is through stealing crucial information from individual consumers and employees: Cybercriminals first steal customers' user names and passwords through phishing or keylogging, or they hack employees' home systems or insecure networks in hotels, then they use the stolen information to breach a corporate database to steal personal information including credit cards, social security numbers, and addresses of millions of individuals. Once the attackers have obtained the data, they sell it as quickly as possible and pocket the profits.
In this 39-page long paper by McAfee Labs, several major security threats are predicted for 2016:
- Application vulnerabilities are an ongoing problem for software developers and their customers. Adobe Flash, Internet Explorer, and increasingly, embedded systems, the Internet of Things, and infrastructure software will become the targets for advanced threats and zero-day attacks.
- Payment system cybercriminals will increasingly focus on attacks that lead to the theft and sale of credentials. They will leverage traditional, time-proven mechanisms including phishing attacks and keystroke loggers, and they will target the consumers directly because they are both the source of the credentials and the weakest link in the payment process. New attack methods will emerge too. And the number of payment system thefts will continue its relentless growth.
- Attacks against large enterprises and governmental agencies will continue. Research indicates that the number of attacks continues to grow. In 2016, we should expect to see at least one, if not more, major attacks that start with an employee-owned system or a company system that is in an insecure location such as a hotel or coffee shop. And Android devices also serve as a gateway into secure environments for malware or advanced persistent threats.
- Cybercriminals, nefarious competitors, vigilant justice seekers, and nation-states will increasingly target hacking into cloud services platforms to exploit companies and steal valuable and confidential data, using it for competitive advantage, or financial or strategic gain.
This threat should lead to IT organizations taking a hard look at what it means to be secure. It isn’t enough to worry about security only on your company’s network. Smart organizations need to expand their protection into the homes of their employees. If an organization has the latest technology installed with smart people in place to create effective policies and remain vigilant, attackers have few options.
The trend: 2013 may be remembered as the “year of the retailer breach,” but a comprehensive assessment suggests it was a year of transition from geopolitical attacks to large-scale attacks on payment card systems.
Verizon Data Breach Report has identified 10 most common security incidents of the past 10 years, including the attack patterns, hacking techniques and common missteps in security measures designed to prevent data leakage and theft. In addition to the 1,367 confirmed data breaches analyzed by the 2014 Verizon Data Breach Investigations Report, researchers added analysis of more than 63,000 security incidents to reveal the most common attacks. Verizon uncovered actions by cybercriminals, their techniques and the data they are targeting to identify distinct classification patterns. These 10 most common security incidents describe nine distinct patterns that reflect 92 percent of the more than 100,000 security incidents collected over a 10-year period, Verizon said.
The top threat: Web Application Attacks:
Web applications were associated with 3,937 security incidents and 490 confirmed data breaches in 2013. Many of the attacks analyzed by Verizon were targeting popular blogging platforms or content management systems from Joomla, WordPress and Drupal. The company said the attacks appeared to be driven by hacktivists, whose intent is to hack a server and use its power to carry out distributed denial-of-service attacks. Financially motivated cybercriminals also targeted Web applications to infect a website and use it as a platform for drive-by attacks.
Businesses need to ensure content management systems and their components are patched and use strong passwords, Verizon said. They also should consider two-factor authentication and use code-scanning software to find and fix Web application vulnerabilities. Businesses also should enforce lockout policies to guard against brute-force attacks.
The above is an excerpt from Robert Westervelt's apt summary of Verizon's annual report »
Symantec: "Internet Security Threat Report 2013"
The trend: Targeted attacks increased by 42% in 2012, with 50 percent of all targeted attacks aimed at businesses with fewer than 2,500 employees. The attackers are casting a wider net and targeting less senior positions below the executive level in order to gain access to companies. And they continue to use social engineering techniques in targeted attacks to obtain personal information.
- Assume You’re a Target: Small size and relative anonymity are not defenses against the most sophisticated attacks. Targeted attacks threaten small companies as well as large ones. Attackers could also use your website as a way to attack other people. If you assume you are a potential target and improve your defenses against the most serious threats, you will automatically improve your protection against other threats.
- Defense in Depth: Emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated firewalls, as well as gateway antivirus, intrusion detection, intrusion protection systems, and Web security gateway solutions throughout the network. Endpoints must be secured by more than signature-based antivirus technology.
- Educate Employees: Raise employees’ awareness about the risks of social engineering and counter it with staff training. Similarly, good training and procedures can reduce the risk of accidental data loss and other insider risks. Train staff about the value of data and how to protect it.
- Data Loss Prevention: Prevent data loss and exfiltration with data loss protection software on your network. Use encryption to protect data in transit, whether online or via removable storage.
The trend: The 2012 Norton Cybercrime Report states that strong passwords were one key element for protecting end-users online. It also warns that newer forms of cybercrime are being targeted at social networks and mobile devices.
According to John Fontana, the Noton report highlights the fact that Internet users are ignoring core precautions. The survey, conducted by Norton with 13,000 adults in 24 countries, shows that 46% don’t use a password that combines phrases, letters, numbers, symbols and caps and lowercase – so-called complex passwords, a practice that makes them much more vulnerable to hackers and identity thieves.
Other related findings include:
- 72% of adults online in the United States have been the victim of cybercrime in their lifetimes.
- There are 71 million cybercrime victims in the U.S., and the average direct cost per victim is $290.
- The global price tag for consumer cybercrime is $110 billion annually.
- In the first half of this year alone, three hacks involving LinkedIn, Zappos and eHarmony resulted in more than 30 million stolen passwords.
- A recent study by security vendor Security Coverage shows password theft is up 300% this year.
The trend: Over the past few years, the data shows that malware infection continues to climb. Attackers utilized remote installation or injection of malicious code in slightly more than half of malware-related cases in 2009, about 80% in 2010, and a staggering 95% in the past year" (p.27).
"Malware factored in over two-thirds of the 2011 caseload and 95% of all stolen data." So concludes Verizon's 2012 Data Breach Investigation Report.
Keyloggers, form-grabbers, and spyware—malware that capture data from user activity—top the list of "Top 10 Threat Action Types by number of breaches and records" (p.25).
Two other findings:
- Companies, big and small, saw a fair amount of malicious code designed to capture user inputs, commonly called keyloggers—they were present in almost half of all breaches (48%). This most likely contributed to the use of stolen credentials in roughly one out of three incidents (p.26).
- Much as it has in the past, the most common malware infection vector continues to be installation or injection by a remote attacker. This covers scenarios in which an attacker breaches a system via remote access and then deploys malware or injects code via web application vulnerabilities (p.27).
For more on major threats and ways to combat them, read the Report »
The trend: A survey of 3,300 companies in 36 countries finds that while businesses face a variety of risks, the top three concerns are related to data and network security.
Among the survey's findings, ninety-two percent of companies saw losses from cyberattacks and the top three reported losses were:
- theft of employee’s identity information, and
- theft of intellectual property.
These losses translated to monetary costs 84 percent of the time. The top costs were productivity; revenue; lost organization, customer, or employee data; and brand reputation.
One of Symantec's recommendations:
Businesses need to protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in identifying and classifying confidential, sensitive information, knowing where it resides, who has access to it, and how it is coming in or leaving your organization. Proactively encrypting endpoints will also help organizations minimize the consequences associated with lost devices. Read the full report »
The trend: A common thread with all financial malware is keylogging the victim’s username and password. The stolen information is then used to transfer the victim’s money to the bank accounts of the attacker’s choice through EFT (Electronic Fund Transfers).
Michael Kassner, a widely read and respected IT security expert, warns that Carberp, a relatively unknown financial malware, is deadlier than even the famous Zeus because of its new capabilities ("Carberp: Quietly replacing Zeus as the financial malware of choice").
Observing that keylogging applications are used in all financial malware, Mr. Kassner embarks on a quest for a way to fight back and discovers KeyScrambler.
An interview with Qian Wang, developer of KeyScrambler, follows a week later in "KeyScrambler: How keystroke encryption works to thwart keylogging threats."
How does KeyScrambler accomplish its claim that “KeyScrambler encrypts keystrokes at the keyboard driver level, deep in the operating system, to defeat existing and future keyloggers?” What makes KeyScrambler unique? Why did you choose the encryption route?
These rigorous, exploratory questions and Mr. Wang's detailed, informative answers, together with Mr. Kassner's own research and testing of the program, lead to a strong recommendation of KeyScrambler as "an answer" to the pervasive financial malware threats.
The trend: Top browsers are in a state of continuous enhancement. At the same time, the right security add-ons will make your current browser (preferably IE 8) safer.
Dennis O'Reilly, a widely read, award-winning author on PCs and other technologies, recommends the best security add-ons to enhance Internet Explorer's privacy and security, KeyScrambler among them.
In Mr. O'Reilly's words:
The most insidious forms of malware are programs that log every key you press in an attempt to collect your log-in IDs, passwords, credit card and bank account numbers, and other sensitive information. QFX Software's free KeyScrambler Personal works with IE and Firefox to encrypt your keystrokes as the information travels from your keyboard to the browser, where the keys are decrypted.
The $30 Pro version of KeyScrambler works with more than 100 applications, according to the company, and the $45 Premium version encrypts the keys you press in MS Office and more than 150 other programs, as well as the Windows log-in screen.
The other best security add-ons include the WOT (Web of Trust) toolbar, BuySafe's Shopping Advisor toolbar, and No More Cookies. Read more about the add-ons »
Logan Kugler, a well-respected Internet security expert, cautions that our computers are loaded with details about our personal and business lives, which could be exploited by increasingly more sophisticated hackers and cybercrooks. He recommends KeyScrambler and 7 other essential Firefox extensions for "comprehensive protection of our privacy" on the Web.
This is what Mr. Kugler says about KeyScrambler:
One of the more insidious threats bad guys can throw at you is a keylogger, a tiny piece of software that invisibly captures every keystroke you make and sends it back to its home base. Your stream of keystrokes can provide cybercrooks with personal information like your Social Security number or credit card numbers, and of course your log-in information for Web sites, applications and your computer itself.
QFX Software's KeyScrambler Personal offers a clever way to defeat keyloggers -- as you type, KeyScrambler encrypts the keystrokes at the driver level and then decrypts them in the browser. Any keystroke-logging malware on your computer will capture only the encrypted signal, which it will see as gibberish.
KeyScrambler Personal for Firefox, IE and Flock is free; there are also paid versions -- Pro ($29.99) and Premium ($44.99) -- that extend protection to other browsers, e-mail clients, password managers and many other applications.
The other essential Firefox extensions are PasswordMake, Ghostery, BetterPrivacy, NoScript, FireFound, and OptimizeGoogle. Read more about the extensions »
The trend: The Internet has become something of a security minefield — that it's easy to get in trouble. But if you're aware of some of the hazards you may encounter, you can stay out of harm's way.
Nick Mediati picks out 17 most prevalent perils on the Internet and provides tips to steer clear of the dangers.
- Malicious Flash files that can infect your PC
- Shortened links that lead you to potentially harmful places
- E-mail scams or attachments that get you to install malware or give up personal info
- Malware hiding in video, music, or software downloads
- Malware in photos or videos of scantily clad women
- Trojan horses disguised as video codecs, infecting your PC with malware
- Geolocation--your smartphone and perhaps other parties know where you are
- 'Poisoned' search engine results that go to malware-carrying Websites
- Malicious PDFs that try to fool you into installing malware
- Malicious video files using flaws in player software to hijack PCs
- Drive-by downloads that install malware when you visit a site
- Fake antivirus software that extorts money — and your credit card information
- Fraudulent ads on sites that lead you to scams or malware
- Questionable Facebook apps
- Sites that lure you in, get you to sign up, then sell your e-mail address for spam
- Phishing 2.0 on social networks that tricks you into downloading malware or giving your Facebook login information to a criminal
- Oversharing--exposing too much personal information on your social network profiles
Mr. Mediati recommends 5 ways to stay safe online:
- Be sure to run Windows Update and the software update features in the other programs that you use every day.
- Don't use the same password in multiple places. And use longer passwords. If you have lots of accounts to manage, use a password manager.
- Use security software. And check PC World's antivirus and security software page regularly for the latest on security products.
- Use your common sense.
- Assume that everyone's out to get you.
PC security is one area where it pays to be paranoid. Just remember that no security software is fail-safe, and that you're still the one sitting at the keyboard. Assume that no site is safe. And don't automatically trust a link or file download, even if a friend sends it to you.
The trend: More companies are coming out with free software, and no-cost basic protection is fast catching on.
Consumers can get basic free protection from Microsoft with few hassles. Or they can opt for more robust protection — also at no cost — from a half-dozen reputable anti-virus makers.
"With cyberattacks saturating the Internet, a dramatic shift is underway in the $7 billion-a-year anti-virus industry — and it's all good news for consumers," Byron Acohido, a seasoned security expert, writes.
What's the good news? Answer: More companies are coming out with free software, and no-cost basic protection is fast catching on.
All you need is do a little homework, as Mickey Cashen, a KeyScrambler user, did.
Here is Mr. Cashen's story as told in USA TODAY:
Last spring, Cashen discovered that an intruder had accessed his older Windows XP computer to send e-mail spam to his friends, despite running an updated anti-virus program.
The retired high school science teacher from Brooklyn Park, Md., estimates that he spent 50 hours over the next six months researching and evaluating security products. Cashen read product reviews in PC Magazine, PC World and on CNet and scoured lab tests by av-comparatives.org and malwareresearchgroup.com, two independent tech security research groups.
He decided not to spend a penny, opting for free Avira AntiVir Personal for basic protection, combined with a free firewall from Comodo.
He also began using WinPatrol, a free program that blocks unauthorized additions to his PC's start-up sequence — a technique hackers use to re-infect your PC each time you boot up. And he relies on not one but three free Web browser plug-ins — AVG LinkScanner, McAfee SiteAdvisor and KeyScrambler — to help steer him clear of infected Web pages.
"I learned that multiple layers of protection are preferred," says Cashen. "I ended up very satisfied with what I think is a small fortress."
The trend: Wire-transfer fraud is a growing problem in the United States, and nine out of ten times the bank will assign blame to the individual consumer whether they are responsible or not.
Identity theft takes many forms, but Lenny Vigliotti never imagined it would show up as somebody wiring $12,000 from his South Florida saving account through multiple banks to end up in the Ukraine.
Vigliotti's woes began July 2, when he checked his savings account balance and noticed that $12,000 had been withdrawn — without his authorization. The money was taken out in installments of $3,000 each over four straight days: June 28, 29, 30 and July 1. He immediately went to the bank to inquire.
The bank said it had received an authorization by fax to withdraw the money with a signature, phone number and fax number, which Vigliotti said were not his. He contacted the police and began searching for more information into wire-transfer fraud, eventually asking the Office of Thrift Supervision, which oversees his bank, to investigate as well.
Data-security expert Tom Field said the incident sounds like a "textbook case of fraud." He said masterminds typically steal data from computers and then use "money mules" who send cash through multiple accounts and often overseas to Eastern Europe and Russia, "hotbeds of activity."
Nearly three months after he noticed the money missing, Vigliotti is yet to recoup the cash. As investigations proceed, he's found out there's a chance he may never get those savings back either.
Rules governing wire transfers place a larger burden on account holders than laws on credit cards or debit cards, Vigliotti has learned. And his Fort Lauderdale bank says he may not have met required security requirements on his computer system — even though he has secured wireless, firewalls, anti-virus software and other protection — and so, the bank may not be liable to pay him back.
"What's a normal citizen supposed to do with their computer?" Vigliotti asked. "I have secured wireless, AOL with firewalls, anti-virus — What more am I supposed to have?"
Hemlock's recommendation: Secure your computer system as much as possible. That means keeping a strong password, not your name or social security number; securing and encrypting your wireless system; keeping anti-virus software; and working with Internet providers with firewalls. Read more of the recommendations
The trend: Keystroke loggers (keyloggers) are identified as the third most prevalent threat to confidential information in 2008, with 75 percent of malicious code infections having this capability.
According to the report, successfully installed keystroke loggers record keystrokes on compromised computers and then return the data to the attacker. This can be achieved by emailing it to the attacker or by uploading the data to an attacker-controlled website. The attacker can process the keystroke data to extract user account credentials such as those for online banking websites, stock-trading websites, or online game accounts. Additional data, such as information typed in email messages or other documents, could also be exposed. This information can then be sold in the underground economy or used to launch further attacks.
One of Symantec's recommendations: "To reduce the likelihood of identity theft, organizations that store personal information should take the necessary steps to protect data transmitted over the Internet or stored on their computers."
A Gartner survey of more than 4,500 online U.S. adults in August 2007 found that phishing attacks in the United States soared in 2007 as $3.2 billion was lost to these attacks. 3.6 million adults lost money in phishing attacks in the 12 months ending in August 2007, as compared with the 2.3 million who did so the year before. Gartner experts believe that phishing and malware attacks will continue to increase through 2009 because it's still a lucrative business for the perpetrators, and advertising networks will be used to deliver up to 30 percent of malware that lands on consumer desktops.
In December 2007, Donna Borak reported in "The Associated Press" that "An estimated 8.3 million Americans older than 18 were victims of identity theft in 2005, according to an analysis of a phone survey released by the Federal Trade Commission. Among them, 1.8 million Americans discovered some type of fraud committed using their personal information, 3.2 million had credit-card accounts misused and 3.3 million experienced misuse of other financial accounts. The FTC estimates that identity theft cost American consumers $1.2 billion in 2006. Javelin Strategy & Research reports that identity theft cost U.S. businesses $55.7 billion in the same year."
A McAfee Avert Labs white paper, released in January of 2007, reports that the number of keyloggers—malicious software code that tracks typing activity to capture passwords and other private information—has increased by 250 percent between January 2004 and May 2006.
In March 2007, a Webroot study found that over 40 percent of the companies surveyed reported business losses from a variety of spyware related issues and 26 percent of enterprises reported that confidential information had been compromised as a result of spyware. The rate of spyware infection is an alarming trend, as
- 39 percent of companies reported Trojan horse attacks;
- 24 percent reported system monitor attacks; and
- 20 percent reported pharming and keylogger attacks.
Other news report: Gartner Survey Shows Phishing Attacks Escalated in 2007; New malware becomes harder to detect; Keyloggers stole from a city's coffers; Trickier phishers target corporate executives; Antivirus protection worse than a year ago.