New Wave of Threats Against Your Data

[InfoSec News <isn () C4I ORG>]

http://www.business2.com/content/magazine/breakthrough/2001/02/26/26878

Ann Harrison
March 06, 2001 issue

Here's a scenario to ruin your day: A cyberattacker gains access to
the Nasdaq database and alters index figures that trigger sell orders
in automated stock-trading programs. Before the error is even
detected, your company's share price has plunged 50 percent.

Here's another scary thought: While attending a trade show, you decide
to hot synch all the new contact information recorded in your Palm and
place it on your PC. It takes only a second to connect the two devices
over the Internet. But in that second, an intruder has copied all the
information sent to your PC.

Situations such as these, which can turn the strengths of emerging
technologies into weaknesses, are among a new wave of threats against
your company's data. Unlike earlier cybervandalism, which takes
advantage of flaws in software and security protocols on wired
networks, the new wave of cyberattacks may well be directed against
popular technologies such as instant messaging, Palm computing, and
cellular phones that exist outside the protected corporate
environment. Perhaps most significantly, hackers are beginning to
target the weaknesses of the people whose information they seek to
steal or destroy.

A case in point is last year's "Love Bug" virus, which used an
enticing email subject line ("I Love You") to fool even savvy computer
users into opening it and inadvertently launching a blizzard of fake
emails to everyone in their email address books.

Bruce Schneier, CTO of Counterpane Internet Security in San Jose,
Calif., says "subversion of information or semantic attacks" are the
most subtle of the tactics used by new-wave vandals. He says a growing
reliance on automated programs, or bots, leaves a hole in many
security systems.

After all, a broker who saw a wildly out-of-synch stock quote would
probably ask for verification-but a machine might not. And most
journalists would have questioned the bogus information, planted on a
newspaper's Website last fall, regarding nonexistent felony charges
lodged against Microsoft Chairman Bill Gates. "It's easy to fool
agents because they are designed to do as much as they can with as
little as possible," says Schneier. It is, he says, "a recipe for
disaster."

Stealth viruses

The Love Bug may have jammed mail servers around the world, but
security analysts say an even more dangerous version of this type of
virus will lie dormant, waiting for the right time or conditions
before stealing data from carefully selected victims.

An example of this type of attack surfaced last August when a Love Bug
variant attempted to capture passwords from Swiss bank UBS. Disguised
as a r}sum} attached to an email message, the worm (or "Trojan horse")
attempted to download a program that captured logins and passwords by
recording-then transmitting-keystrokes. A similar message, inserted in
a Microsoft computer, was able to view top-secret source code of
programs still under development.

Keith Lowry, vice president of security operations for Pilot Network
Services, which monitors more than 70,000 corporate networks
worldwide, warns that an upcoming swarm of customized viruses will
soon target wireless platforms. Lowry is especially concerned about
the vulnerability of handheld Web access devices. "No matter what
anyone says, once it goes onto the airwaves, anyone can pick up the
signal," says Lowry.

As of now, there has been no verified instance of an actual cell phone
virus (a well-publicized incident in Madrid turned out to be more of
an email chain letter than a virus), but as cell phones and handheld
devices converge, analysts say they will be vulnerable to the types of
viruses that have already hit Palm devices.

Hackers launched their first widespread attack on handhelds in August.
Unlucky Palm users thought they were downloading an applet that would
convert a freeware program into a full-featured, registered version.
In fact, they had been duped into downloading the Liberty Trojan
horse, which erased all the data from their Palms. A few weeks later,
the Phage.936 virus, regarded by many as a proof of concept, erased
third-party applications from devices using the Palm operating system.
Similar viruses, say security experts, may already be on the loose.

Experts at Beyond Security, an Israeli consultancy, say hackers can
intercept all of the data on your Palm (or upload false data) if you
synch your PDA and desktop PC via the Net. Even if synching is done at
your desk, a hacker who can access your computer or handheld can
circumvent Palm's password protection, says Beyond Security CEO Aviram
Jenik.

However, Palm users have less to fear than some security experts would
have them believe, says Gordon Clyne, manager of security projects for
Palm. "You hear about lots of potential attacks-but very few real
attempts," he says. Clyne says it is theoretically possible to
intercept a remote synch session with older versions of the operating
system, but the hole has been plugged with versions 3.5 and higher.
But he worries about next-generation hackers attacking devices that
combine PDA functions with a cell phone's communications capability.
"That," he says, "opens up a can of worms."

Mounting risk

And the instant messaging applications that so many companies now use
to supplement email systems turn out to be as secure as a nuclear
power plant guarded by Homer Simpson. Because instant messages are
relayed by a third party via proprietary protocols with no strong
encryption, they are easy to intercept-and to spoof, says John N.
Stewart, director of systems engineering and security for San
Francisco-based Digital Island. The risks will increase as instant
messaging becomes more capable of delivering files and transferring
large quantities of data. "IM is undermining all the technology that
is monitoring electronic-mail delivery because nothing is monitoring
the behavior of these applications," he says.

Subtle semantic attacks against automated systems are already taking
place. Companies that confront these vulnerabilities now, and
implement countermeasures, can ride out this new wave of attacks
before it sweeps away their most valuable data.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".