New Path Of AttackNew Path Of Attack

Cybercriminals have had it with the limelight. With the law onto them, they've mostly abandoned self-aggrandizing vandalism to concentrate on more clandestine concerns: making money off someone else's data. And to do that, they're now attacking applications rather than operating systems.

A report on the 20 most-critical Internet security vulnerabilities for 2005, released last week by the SANS Institute in conjunction with government representatives from the United States and the United Kingdom, shows an unsettling shift. While most hacking between 1999 and 2004 targeted operating systems and Internet services on Web servers and E-mail servers, that changed this past year. Now, applications and network devices' operating systems have become the primary targets.

For businesses, solving that problem is much tougher than just keeping up to date on Microsoft patches. Many of the new targets don't have systems for automated patches, and companies may not have the same processes and relationships with vendors to fix problems swiftly. And since the goal of these attacks isn't to spread mass infection like an "I Love You" worm, and instead is to steal information and money, they can go unnoticed.

"Security has been set back nearly six years in the past 18 months," says Alan Paller, director of research for the SANS Institute, via E-mail. SANS, a nonprofit research and training organization, has been compiling a top 20 list since 2000.

The applications under fire span the range of software programs a business might use and run on a variety of operating systems. They include enterprise backup software, the PHP scripting language, databases, peer-to-peer file sharing, Domain Name System server software, media players, instant-messaging applications, and Internet browsers. Even antivirus software makes the list, with vulnerabilities in security software from CA, ClamAV, F-Secure, McAfee, Sophos, Symantec, and Trend Micro, among others, raising the possibility of attackers taking over users' systems by using the software that's intended to protect them.

The second major finding of the report is that vulnerabilities in network operating systems, including Cisco's Internetwork Operating System, which SANS says runs some 85% of the routers and switches on the Internet backbone, represent a significant threat. Cisco acknowledged weaknesses in its operating system earlier this year, when it issued a security advisory for a serious IOS "heap-overflow" vulnerability that could let hackers get control of routers and switches running certain versions of the software. Cisco responded quickly, and no such attack has been reported. But even the possibility of such a network hijacking was an eye-opener for network administrators.

Microsoft deserves some credit for the shift, since one reason crooks are moving on to other applications is that Windows has become less vulnerable (though it remains on SAN's top 20 list). Microsoft admitted it had a major security problem and set out to improve its code. That has led to fewer automated worm attacks, for example, because they aren't as effective, thanks to changes in Windows XP SP2, Windows Server 2003, Office 2003, and Outlook. "It's far more difficult for hackers to try to embed malicious images or to try to conduct malicious attacks through E-mail," says Stephen Toulouse, security program manager at Microsoft's Security Response Center.

Those who manage computers get some credit, too, for being more diligent about patching. But with applications and other types of software becoming prime targets, it raises questions about the readiness of vendors and users alike. "Certainly application patching is much more painful than it needs to be," says Don Westlight, network engineering manager at Oregon Health & Science University. Patching Microsoft products and the "generic desktop" has gotten easier, thanks to better patch-management tools, Westlight says. Other systems, many of which hold the most-critical data, are another story. "Legacy software is a much bigger problem, and it's much weaker," Westlight says. And not all patching is effective. Java patches, he says, can cause unexpected behavior in applications if they depend on specific versions of Java.

Data Backup Risks

One of the SANS report's most-worrisome findings for business managers is the vulnerability of data-backup software, because such software, if it can be breached, provides something akin to one-stop shopping for critical corporate data. "An attacker can leverage these flaws for an enterprisewide compromise and obtain access to the sensitive backed-up data," the report concludes, noting that exploits for many of the vulnerabilities have spread via Internet postings and are in use.

Software vendors say they're addressing these risks. Symantec, which sells its Veritas data-backup software as well as antivirus and other security software, issued a written statement explaining its security processes. They include pushing some patches automatically to customers and sending E-mail security alerts. CA also responded with a written statement: "CA tests its software for security flaws before release and vigilantly tracks activity in the field in order to respond to the first sign that a vulnerability has been discovered."

Targeted Attacks
Attackers who go after specific vulnerabilities at specific companies can have a particularly disastrous impact, the SANS report says. It's a trend other organizations have noticed. In mid-July, the Department of Energy Computer Incident Advisory Capability issued a warning about it. "We're seeing more-targeted attacks both within and outside of the DOE," the bulletin said.

IT managers are noticing, too. "The coordination of attacks over the last few years seems to be increasing," says Mark Richmond, network systems engineer for the U.S. District Court, Eastern District of California. "There are cooperative arrangements between various groups, formal or informal, that seem to be facilitating the use of networks and computers for criminal activities." Richmond says he has the situation in hand. "We limit access to our systems beyond the point of inconvenience," he says. "We use a private network. We're gated to the Internet in very narrow gates that are very tightly controlled, partly because of security concerns and partly to protect the performance that we need to get our work done."

Almost any organization with sensitive personal or financial data represents a potential target. Gartner security analyst John Pescatore points to recent reports of credit-card identity theft, some of which involved the installation of a rootkit on a specific server to harvest information from databases to send to criminals. "There's just so much more financially motivated attacking going on," he says.

Fear of such attacks is changing consumer behavior. Two recent studies, one by the Pew Internet & American Life Project and the other by Consumer Reports WebWatch, find that more than 90% of Internet users say they have adjusted their online behavior out of fear of cybercrime. The Consumer Reports WebWatch study indicates that fully a quarter of U.S. Internet users have stopped buying things online. Fear of online victimization also could curtail the growth of electronic bill presentment and payment, which offer companies significant savings over paper-payment processing.

Targeted attacks don't typically get reported, unless there's a breach of customer data covered under disclosure laws such as California's. Tight-lipped companies hope to avoid bad publicity and prevent scaring more online consumers, under the theory that what they don't know won't deter them. But silence also makes it harder for security professionals to make the case for increased investment in security.

The SANS report should put pressure on software companies. It highlights the need to harden the presentation and application layers as a means to reduce cybersecurity events, says Howard Schmidt, former chief security officer for Microsoft and, later, eBay. "The first stop on the way to fix this is through secure coding and better QA of development processes, penetration testing on compiled code, as well as vulnerability testing of integrated, deployed applications via Web front ends," he says, via E-mail.

The U.S. Air Force offers one example of how to ramp up the pressure: Demand a security service-level agreement. Late last year, the Air Force contracted with Microsoft and Dell to simplify acquisitions, cybersecurity, patching, and configuration. The contract is worth an estimated $500 million over six years. The result is supposed to be that the Air Force always has an up-to-date version of Windows, including all the latest patches.

Paller from SANS points to that deal, plus similar ones between the Department of Energy and Oracle and between Sandia National Laboratories and Sun Microsystems, and suggests that large organizations have the leverage to improve security for themselves, and ultimately for everyone, by holding vendors more accountable.

Companies, in general, are better prepared to deal with security issues than they were a few years ago and are better at responding to security alerts and patching systems. But criminal hackers are better prepared, too. Pescatore of Gartner puts it well: "The good news is the termites are no longer eating the bottom floor of your house. The bad news is they're eating the top floor."