To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39155146,00.htm

Re:Viewing 2005: The year in security
Small was the new big when it came to security threats...

By Will Sturgeon

Published: Monday 19 December 2005

The security events of 2005 led some to believe things were getting better when, in truth, it was more the case that what you can't see really can hurt you. The surface may have appeared still and unthreatening but underneath the currents were anything but friendly, as Will Sturgeon explains.

Phishing, spam, spyware, Trojans, viruses and worms - you'd be forgiven for thinking 2005 was very much 'same old, same old' but there were trends which came to light during the past 12 months that will have the security experts scrutinising their radars long into the New Year.

As much as anything, this is due to the increasing sophistication of existing threats and the fact criminals will have been loathe to conjure new threats when existing ones clearly had so much more mileage left in them.

So, even though the threats at their most basic level have remained the same, the ways they work most certainly haven't.

Leading the charge are far more finely tuned phishing scams and the snowballing menace of spyware. These are the two areas where we have seen the greatest and most portentous development.

And worse luck, over 2005 these threats have become increasingly more difficult to spy. More than ever the criminals wanted to go unnoticed.

Whereas security threats were once synonymous with a subtlety akin to blanket bombing, phishing attacks in particular are becoming far more targeted, bringing prominence this past year to the phrase 'spear phishing'.

The reason is simple. Often a well engineered attack which targets hundreds of individuals with clinical precision, will net more results than a generic attack which is sent to millions. One such attack was outlined earlier this year by Symantec's Enrique Salem when speaking to silicon.com.

The benefits for the criminals here are that highly targeted emails can be far more detailed and then their specifics act in encouraging recipients to believe they are genuine. And such scams, travelling in far smaller numbers are far harder to detect.

Users may by now be wary of a generic email which uses Amazon or eBay branding but an email from a parent company for instance, which uses real names and mentions departments and company events or milestones will often catch the majority of recipients with their guard down.

So this year the scammers have been swapping the high bandwidth demands of major attacks for a little more time researching their art - and their targets.

And an interesting side-effect of more targeted attacks has been the diminished need for vast botnets - networks of compromised end-user PCs used to send spam on behalf of the criminals.

Botnets have reportedly decreased in size over 2005 but it's not much of a victory when it was largely in the criminals' best and stealthiest interests. (Though the decrease didn't come until after one million Telewest customers were blacklisted for the high numbers of compromised machines belching out spam from the blueyonder network - a problem highlighted by silicon.com some weeks earlier.)

Mark Sunner, CTO at MessageLabs, told silicon.com such 'spear phishing' attacks should have become a major concern for companies of all sizes this past year.

Sunner said: "These emails can appear to show real understanding and knowledge about the company. And it's not just large companies. Our data suggest small companies are also at risk, if not more so."

And the endgame of the scammers was often identity theft but more and more the issue of industrial espionage was coming up in conversations about security. Companies were increasingly being urged to consider a broader risk-based approach to security throughout 2005. (CyberTrust's Dr Peter Tippett also made compelling arguments during 2005 for approaching the issue of enterprise security from a perspective that will be new to many.)

Simon Perry, VP security strategy at CA, told silicon.com one of the cases which set the most interesting precedent during 2005 was the well-publicised case in Israel of spyware being used by companies to steal data from their rivals.

Israel was also at the centre of the investigation into the attempted robbery of the Sumitomo Mitsui bank. In that instance spyware, or a physical key logging device, was installed on a computer inside the bank and used to steal data which facilitated a £220m transfer of funds - thwarted by the UK's National Hi-Tech Crime Unit (NHTCU).

(However, the NHTCU didn't cover itself in glory later on in the year when its bungled Get Safe Online initiative attracted more than a little criticism for its execution more than its intent.)

Continued on next page...