Internet Security Systems - AlertCon(TM)

Week of (everyone else's) Security Predictions 2009 - Day 4

Posted by Gunter Ollmann on January 08, 2009 at 11:26 AM EST.

Having broken the back of the working week, we’re now in to the downward spiral to the weekend and Day Four of the “Week of (someone else’s) Security Predictions”.

Wednesday’s Day Three analysis set its crosshairs on the 2009 predictions of PandaLabs. As I noted at the time, they have a distinct focus on malware, which was subsequently reflected in their predictions. I think I agreed with most of what they were proposing – but there was still an overriding “more of the same” continuation of past security trends for 2009.

In Day Four of WoSP we’re going to take a look at the 2009 security predictions of Websense. Websense have provided us with six separate predictions from their Security Labs blogging team. You can find their 2009 security predictions in their blog entry conveniently titled “Websense Security Labs 2009 Predictions”.

Websense’s 2009 Security Predictions

Websense are a security company that focuses mostly on the area of Web filtering and over the years have branched out a little further to encompass email filtering and, more recently, wrapped those features in to an ongoing DLP story. As such, I think we’ll find that their predictions have a strong bias towards Web content attacks.

(1) The “Cloud” will increasingly be used for malicious purposes

“… predicts that in 2009 – we will see an increase in misuse of the “cloud.”  The cloud may be used simply to send spam or to launch more sophisticated attacks including hosting malicious code for downloads, uploading stats, and testing malicious code.”

Ever since the various “clouds” were more than twinkers in their creator’s eyes, there’s been someone poking a stick at them in a nasty way. But in 2008 we really noticed the cyber-criminals begin to spin up their cloud-based attack methodologies. While the first half of the year saw a lot of tinkering as they experimented with the bounds of what would profitably work for them, by the later stages of last year we observed the more methodical money-making crimes.

As 2009 progresses I think we’ll see continued diversity in the way cyber-criminals attempt to make money off the backs of the various cloud infrastructures out there. I suspect that several of the more bothersome tactics will revolve around the distribution of unwanted content (spam, mailers, URL redirections, etc.) being issued from cloud infrastructures because it’s so difficult to shut down externally (i.e. it’s not likely that that you can just tell the provider that xxx IP address was spewing spam and hate mail – the content could likely be coming from multiple IP sources, and changing every few minutes).

(2) An increased use of Rich Internet Applications (RIAs) like Flash and Google Gears for malicious purposes

“… we predict that in 2009 we will see some large scale attacks using both exploits found within the core RIA components as well as the user-created services that allow attackers to remotely execute code on user's machines.”

While there was a substantial amount of tinkering with RIA’s as a vehicle for malicious purposes over the last couple of years, there weren’t any significant attacks. The closest we’ve come to that has to do with some permutations of click-jacking, and maybe (if you want to extend the thought further) the abuse of the PDF scripting language to propagate attacks.

That said, I do think it likely we’ll see some interesting threats appear in the realm of RIA’s in 2009. I suspect that the most important RIA-based threats will revolve around components that require some degree of legacy installation on the victims host (e.g. Flash, PDF, etc.) – mainly because these technologies are better understood and there already exists a basis for successful exploitation.

Other technologies such as Google Gears, Air, and Silverlight which are predominantly used to build Cloud and Social Network-ish applications online today will undoubtedly be picked at by criminals and vulnerability researchers alike throughout the year – but the probability of any big and financially rewarding cybercrime occurring through the exploitation of these technologies in 2009 is pretty slim. 

I’d still advise users of the technology to keep their patching regime tight though.

(3) Attackers take advantage of the programmable Web

“… there will be a rise in the malicious use of some Web service API’s to exploit trust and steal user credentials and confidential information.”

MessageLabs and PandaLabs both predict similar things. As such, I’ve already covered this threat prediction as part of Day Two and Day Three of the WoSP.

(4) A significant rise in Web spam and malicious posting of content into blogs, user-forums and social networks

“… lead to a significant rise in Web spam and malicious posting of content into blogs, user-forums, and social networks sites for search engine poisoning, spreading malicious lures, and duping users into fraud… augmented by several new Web attack toolkits that have emerged that allow attackers to discover sites that allow posts and/or have vulnerabilities.”

I’m not sure how “significant” the rise is going to be, but over the last three years I’d say that there has been a marked increase in overall Web spam – most of which can probably be correlated to the overall increase in Web sites, forums and applications that allow visitors to post content. So, while there’s probably been an exponential growth in volume year-on-year, I suspect that it’s probably linear with number and scope of the Web services coming on line.

For 2009, frankly I’d predict more of the same as far as volume increases go, along with probable sophistication advances for that matter too. One limiting factor though is that the anti-spam technologies being deployed and embedded within the major Web portals seem to be working very well and the volume of Web spam found on those sites is fairly static (if not going down) – but the virtual tug-of-war between site owner and spammer will continue for quite some time to come, just as it has for email spam.

(5) Attackers will move to a distributed model of controlling botnets and hosting malcode

“… predict that because these botnet groups have thus far depended on only a few providers to host their C&C servers, they will distribute their servers as well as move to foreign hosting providers, making it harder for upstream providers, the Internet community and law enforcement to find and shut them down.”

I pretty much agree with this prediction. See my analysis of MessageLabs 2009 predictions (1) and (8) for some Day Two analysis.

(6) A continued siege against Web site with “good” reputations

“…2009 we will see more than 80 percent of all malicious content hosted on sites with “good” reputations… more big name Web site compromises … includes regional attacks on popular Web sites in select properties, popular sporting sites, news sites, and continued placement of IFRAME’s and other malicious redirection code within them.”

On one hand, this isn’t really a prediction for the simple fact that this is currently the state of play as far as most of the IFRAME and malicious redirection is concerned. Depending upon who’s number you use, it consistent to say that around three-quarters of malicious content is currently located on Web sites that we’d generally agree as being “good”.

Throughout 2008 we observed a regular pattern of SEO-focused attacks, with an average of around 100,000 “defacements” (which, in this context basically means malicious embedded IFRAME URL’s) on a weekly basis. Given the public accessibility to the tools that instigate and propagate these attacks (e.g. SQL Injection automation tools), and the increasing frequency of Web sites that exhibit vulnerabilities that can be discovered by these tools, I’d expect this trend to continue this year.

Page ranking in popular search engine results is a valuable commodity and many organizations spend a sizable amount of dosh making sure they’re near the top. For this very reason cyber-criminals will continue to target the Web applications and services of these large organizations and take a free ride in reaching the most sizable populations of future victims.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.