Information Security News mailing list archives
New Wave of Threats Against Your Data
From: InfoSec News <isn () C4I ORG>
Date: Mon, 26 Feb 2001 13:03:42 -0600
http://www.business2.com/content/magazine/breakthrough/2001/02/26/26878 Ann Harrison March 06, 2001 issue Here's a scenario to ruin your day: A cyberattacker gains access to the Nasdaq database and alters index figures that trigger sell orders in automated stock-trading programs. Before the error is even detected, your company's share price has plunged 50 percent. Here's another scary thought: While attending a trade show, you decide to hot synch all the new contact information recorded in your Palm and place it on your PC. It takes only a second to connect the two devices over the Internet. But in that second, an intruder has copied all the information sent to your PC. Situations such as these, which can turn the strengths of emerging technologies into weaknesses, are among a new wave of threats against your company's data. Unlike earlier cybervandalism, which takes advantage of flaws in software and security protocols on wired networks, the new wave of cyberattacks may well be directed against popular technologies such as instant messaging, Palm computing, and cellular phones that exist outside the protected corporate environment. Perhaps most significantly, hackers are beginning to target the weaknesses of the people whose information they seek to steal or destroy. A case in point is last year's "Love Bug" virus, which used an enticing email subject line ("I Love You") to fool even savvy computer users into opening it and inadvertently launching a blizzard of fake emails to everyone in their email address books. Bruce Schneier, CTO of Counterpane Internet Security in San Jose, Calif., says "subversion of information or semantic attacks" are the most subtle of the tactics used by new-wave vandals. He says a growing reliance on automated programs, or bots, leaves a hole in many security systems. After all, a broker who saw a wildly out-of-synch stock quote would probably ask for verification-but a machine might not. And most journalists would have questioned the bogus information, planted on a newspaper's Website last fall, regarding nonexistent felony charges lodged against Microsoft Chairman Bill Gates. "It's easy to fool agents because they are designed to do as much as they can with as little as possible," says Schneier. It is, he says, "a recipe for disaster." Stealth viruses The Love Bug may have jammed mail servers around the world, but security analysts say an even more dangerous version of this type of virus will lie dormant, waiting for the right time or conditions before stealing data from carefully selected victims. An example of this type of attack surfaced last August when a Love Bug variant attempted to capture passwords from Swiss bank UBS. Disguised as a r}sum} attached to an email message, the worm (or "Trojan horse") attempted to download a program that captured logins and passwords by recording-then transmitting-keystrokes. A similar message, inserted in a Microsoft computer, was able to view top-secret source code of programs still under development. Keith Lowry, vice president of security operations for Pilot Network Services, which monitors more than 70,000 corporate networks worldwide, warns that an upcoming swarm of customized viruses will soon target wireless platforms. Lowry is especially concerned about the vulnerability of handheld Web access devices. "No matter what anyone says, once it goes onto the airwaves, anyone can pick up the signal," says Lowry. As of now, there has been no verified instance of an actual cell phone virus (a well-publicized incident in Madrid turned out to be more of an email chain letter than a virus), but as cell phones and handheld devices converge, analysts say they will be vulnerable to the types of viruses that have already hit Palm devices. Hackers launched their first widespread attack on handhelds in August. Unlucky Palm users thought they were downloading an applet that would convert a freeware program into a full-featured, registered version. In fact, they had been duped into downloading the Liberty Trojan horse, which erased all the data from their Palms. A few weeks later, the Phage.936 virus, regarded by many as a proof of concept, erased third-party applications from devices using the Palm operating system. Similar viruses, say security experts, may already be on the loose. Experts at Beyond Security, an Israeli consultancy, say hackers can intercept all of the data on your Palm (or upload false data) if you synch your PDA and desktop PC via the Net. Even if synching is done at your desk, a hacker who can access your computer or handheld can circumvent Palm's password protection, says Beyond Security CEO Aviram Jenik. However, Palm users have less to fear than some security experts would have them believe, says Gordon Clyne, manager of security projects for Palm. "You hear about lots of potential attacks-but very few real attempts," he says. Clyne says it is theoretically possible to intercept a remote synch session with older versions of the operating system, but the hole has been plugged with versions 3.5 and higher. But he worries about next-generation hackers attacking devices that combine PDA functions with a cell phone's communications capability. "That," he says, "opens up a can of worms." Mounting risk And the instant messaging applications that so many companies now use to supplement email systems turn out to be as secure as a nuclear power plant guarded by Homer Simpson. Because instant messages are relayed by a third party via proprietary protocols with no strong encryption, they are easy to intercept-and to spoof, says John N. Stewart, director of systems engineering and security for San Francisco-based Digital Island. The risks will increase as instant messaging becomes more capable of delivering files and transferring large quantities of data. "IM is undermining all the technology that is monitoring electronic-mail delivery because nothing is monitoring the behavior of these applications," he says. Subtle semantic attacks against automated systems are already taking place. Companies that confront these vulnerabilities now, and implement countermeasures, can ride out this new wave of attacks before it sweeps away their most valuable data. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- New Wave of Threats Against Your Data InfoSec News (Feb 26)