2003 started with the Slammer Internet worm and went downhill from there. It has been labeled the Year of the Worm and called “the worst year ever” by more than one security expert. Will 2004 bring more of the same, or will it be remembered as the year in which Internet users “took back the streets” from virus writers, malicious hackers, and spammers?
A little bit of both, say corporate security experts and computer virus specialists.
Michael Murphy, the Toronto-based general manager of Symantec Corp. in Canada, said most companies “have woken up from that shot over the bow” in 2003. “I think we’ll see an improvement in (2004),” he said, but with an added caveat, “I don’t think it will be a quantum improvement.”
Internet users will not see virus outbreaks curtail in 2004, despite high-profile prosecutions of some virus authors and a Microsoft bounty on the original authors of the Blaster and Sobig viruses, according to Chris Belthoff, senior security analyst at Sophos PLC. Prosecutions and bounties do not prevent crime in the physical world and should not be expected to work any better online, Belthoff said.
Murphy agrees, and said Symantec expects to see as many as four Blaster and Slammer-level threats in 2004.
The threat of a so-called “zero day attack,” in which a virus or worm exploits an unknown and unpatched software vulnerability, also looms as a worst-case scenario, Belthoff said. In pursuit of that elusive goal, hackers are exploring internal vulnerabilities in Microsoft Corp.’s .Net Web services framework, IIS Web server, and Windows 2003 Server, according to an exploit writer who uses the online handle “wirepair.”
But Murphy said this is nothing new. “They always were” trying to find exploits on their own, he said. Whether a zero day attack comes to fruition in 2004 is unknowable at the moment but Murphy warned that the trend is moving in that direction. The Blaster attack came only 26 days after the vulnerability’s announcement, and even before that there were several failed trial runs, Murphy said. A lesser know Cisco focused attack came only two days after the vulnerability’s announcement, Murphy said.
Though he doesn’t doubt the possibility of creating a successful zero day attack in 24 hours, Murphy dsaid creating such a threat is not as easy as some think.
“Most fail for any number of reasons,” he said. This includes everything from a lack of Internet bandwidth to designing code that is not falling all over itself – when two infected machines try to infect each other and cancel out their effectiveness.
Microsoft, the number one attack target, has its work cut out. Though the company is pushing security education out to the masses and trying to reduce the time it takes for patches to get out to users (and making them easier to implement), there is an partial admission that users, to some extent, are on their own when defending against zero day attacks.
“It is a little bit hard to plan for what you don’t know is coming,” said Jill Schoolenberg, director of Windows Client for Microsoft Canada in Mississauga, Ont. But she added that Microsoft will be on top of all security developments and “when necessary issue service packs,” to upgrade systems.
Symantec’s Murphy advocates the use of a fully integrated, three-prong approach to protecting the entire corporation, zero day attacks or not. This includes up-to-date intrusion detection, firewalls and anti-virus software. In 2004 he expects the corporate parameters to be shored up and an increasing amount of focus going to the “soft chewy middle,” where something as simple as a mobile device coming in an connecting to the network inside the corporate firewall can wreak havok if the device was compromised when it was out in the wild.
Regardless, the wealth of new, unexplored code for .Net is fertile ground for hackers, said Mikko Hypponen, director of anti-virus research at F-Secure Corp.
“One thing that’s interesting about attacks in an environment like .Net is that a successful worm will hit multiple platforms: desktop, laptops, as well as mobile phones and PDAs,” Hypponen said.
Adel Melek, national leader, security practice with Deloitte and Touche in Toronto, said .developers have to get better at tying security into the application development stage. “Logically everybody in IT understands that but ironically…not everyone is getting the message. “Developers would just develop and application and throw it over the wall to the op (operational) guys, who would then have to bolt [security] on,” he said.
Incidents of online identity theft will also increase in 2004, security experts said. Organized criminal groups in Russia and South Korea are using malicious hacking and so-called “phishing” Web sites to harvest information about thousands of online users, according to Richard Stiennon, a Gartner Inc. analyst.
Security flaws, the increasing use of embedded versions of Windows, and the near-total dominance of the TCP/IP networking protocol make it likely that virus and worm outbreaks will affect private networks used by ATMs, utilities, and other critical systems, F-Secure’s Hypponen said. Security in 2004, however, will not be all bad. Enterprises will deploy more security technologies, and they will do it more precisely and with fewer problems, Stiennon said. He added that changes to Microsoft software will close a number of well-worn avenues traveled by hackers and virus writers.
“It’s getting to the point where we know what we need to do, and there are good solutions out there, but now we have to execute,” Stiennon said.
“Security is the art of compromise, it is the balance of paranoia and complacency,” said Ian Hammeroff, director of eTrust Solutions with Islandia, N.Y.-based Computer Associates Inc.