In its annual review of the worst security problems spotted for the year, the SANS Institute recently cited zero-day attacks and human gullibility in falling victim to phishing scams or other social engineering tricks as among the most dismal trends of 2006.
The annual SANS “Top 20 Internet Security Vulnerabilities,” last year called the “Top 20 Attack Targets,” were highlighted by SANS Institute representatives in an appearance Nov. 13 at Britain’s security agency, the National Infrastructure Security Coordination Centre, in London. The SANS Institute listed one of the worst problems last year as zero-day vulnerabilities and attacks that have gone beyond Microsoft Internet Explorer.
According to SANS, a zero-day vulnerability is a known flaw in software that does not have a patch available. SANS said 45 “serious and critical vulnerabilities were discovered in Microsoft Office products alone” and among them, nine were zero-day vulnerabilities in which an exploit or worm was actively making use of the flaw and no patch was available, the SANS report notes.
But it’s not just Microsoft products at stake, says Rohit Dhamankar, editor of the SANS Top 20 report and senior manager of security research at TippingPoint, a division of 3Com. “The rise of zero-day attacks, at least 20 of them this year, also included Apple’s Safari browser and wireless driver.” But according to SANS, the focus of most zero-day attacks remains on Microsoft products, particularly Internet Explorer.
The SANS report claims that many zero-day attacks are initiated in China.
“There are various theories about why China is such a hotbed for zero-day attacks, but most likely it is the fact that much of Microsoft’s source code is available there with little intellectual property rights restriction on distribution, the culture supports reverse-engineering of proprietary code and research into exploiting code vulnerabilities, and there are few enforcement investigations into the crews launching the attacks against targets in other countries,” the SANS report states.
Other attack trends spotted by SANS this past year include growth in targeted attacks, such as “spear phishing” where an e-mail-based scam is perpetrated against an organization or individual.
“For the first time…we’re citing the human factor,” said Dhamankar. “It might be a secretary out front who gets ‘spear-phished’ with mail that looks like it comes from the CIO or the security office but it doesn’t. It’s an attack to get sensitive information.”
When it comes to spear-phishing, however, SANS also has some controversial advice for computer security professionals looking to lock down their networks: spear-phish your employees.
That’s what the U.S. Military Academy at West Point did in 2004 to a group of 512 cadets, selected at random for a test called the Carronade. The cadets were sent a bogus e-mail that looked like it came from a fictional colonel named Robert Melvillle, who claimed to be with the academy’s Office of the Commandant (The real Robert Melville helped invent a short range naval cannon called the Carronade nearly 250 years ago).
“There was a problem with your last grade report,” Melville wrote, before telling the cadets to click on a Web page and “follow the instructions to make sure your information is correct.”
More than 80 per cent of the cadets clicked on the link, according to a report. Worse still, even after hours of security instruction, 90 per cent of freshmen cadets still clicked on the link.
Spear-phishing attacks contain this kind of targeted information in order to seem more credible, but their goal is the same as a regular phish: Trick the user into doing something he shouldn’t, like giving up sensitive information.
Because these attacks rely on cooperation from their victims, it’s hard to prevent them, said Alan Paller, director of research with SANS. “The only defense against spear-phishing is to run experiments on your employees and embarrass them,” he said.
Other threats SANS is highlighting for 2006 include VoIP attacks, including the type to “make money by reselling minutes and potentially injecting misleading messages and even creating massive outages in the old phone network.”
“The VoIP servers are interfacing with the traditional networks,” Dhamankar points out. Attackers can get to circuit-switched networks via VoIP servers that could have vulnerabilities.