We will remember 2010 as a year in which our interaction with technology — and with each other — evolved because of the widespread adoption of social media and the use of innovative mobile computing devices.
We are dependent on smart devices — just ask anyone who has lost their iPhone or BlackBerry. And whether you’re using a mobile device or a laptop or desktop computer, you’re likely to use social networks more than ever. This new technology changes the way we communicate with our friends, colleagues and customers. This not only revolutionizes the way we live our lives, but also blurs the lines that define the way we run our businesses and use and share information.
Today, users are the content. Driving the growth, and at the same time being driven by it, the explosion in mobile computing is expanding the impact of the social Web. And, the way that content is shared and accessed is now the core of a new global culture, affecting and combining the spheres of personal and business life.
Of course, this evolution of technology is closely tracked by the “bad guys” willing to exploit weaknesses in our technologies and in human nature. Cyber criminals prey on our curiosity, and perhaps our vulnerability and gullibility, and use psychological traps to profit from unsuspecting technology users. Malware scams and exploits targeting social networking websites, applications, devices, and users proliferate. At the same time, traditional attacks continue to become more sophisticated to target the most advanced software, hardware and websites.
In this slideshow, we highlight the more significant security threats identified by Sophos in 2010 and outline critical access points that need to be guarded against future threats.
Click through for security threats and access points identified by Sophos that have posed great risk for 2010, and will likely do so for 2011.
One of the more persistent threats of 2010 was fake anti-virus, also commonly known as “scareware” or “rogueware.” In this widespread practice, software is inveigled into a victim’s computer system, closely resembling — and in some cases directly impersonating — genuine security solutions. The user receives a warning that their system is infected with some nasty malware and forced to pay for a “full” version of the software to remove the threat. Of course, paying money to the bad guys doesn’t provide any protection. In most cases there’s no real danger, and in many cases they’re actually installing additional malware on the system and taking your credit card information. With this kind of data handed over so freely, cyber crooks can drain your bank account or completely take over your identity.
While older approaches such as e-mail remain a threat, fake anti-virus and other malware are largely spread through the Web. The search engine is our gateway to the Web, and cyber crooks are skilled at manipulating search results from the engines such as Google, Bing and Yahoo! to lure victims to their malicious pages. These pages host security risks and browser exploits just waiting to infect users who are directed to these sites. There’s also the abuse of legitimate search engine optimization (SEO) techniques. Legitimate Search Engine Optimization (SEO) techniques are regularly used as marketing tools, but when SEO is abused by the bad guys, and supplemented by more devious methods, it’s known as Black Hat SEO.
By mid-2010, Facebook recorded half a billion active users, making it not only the largest social networking site, but also one of the most popular destinations on the Web. People use the Internet differently because of social networking. Young people are less likely to use e-mail, and more apt to communicate through Facebook, Twitter or other social sites. Unsurprisingly, scammers and malware purveyors targeted this massive and committed user base, with diverse and steadily growing of attacks throughout 2010.
As spam expands into other areas online, traditional e-mail spam still remains a significant problem, especially in business. Workers still need to keep their inboxes clear of junk, and advanced mail filtering systems are a necessity in any business hoping to use e-mail efficiently.
With the convergence of spam and malware, a growing proportion of spam messages are moving away from more direct scams. Sending out malicious attachments continues to be widely practiced, but even more prevalent is the mailing of links to poisoned Web pages. Operating in the same manner as any other scam, victims are tricked into clicking a link in a mail and then led to a site that attacks their system with exploits or which attempts to implant fake anti-virus software. 2010 also saw a surge in HTML attachments that directly point to malicious Web content without directly visiting the dangerous sites.
One of the more widely-covered malware stories of the year concerned the “Stuxnet” worm. Stuxnet appeared to target highly sensitive SCADA systems, which monitor and control industrial, infrastructure or facility-based processes, and was remarkable for the sophistication of the code and the amount of work involved in its creation.
Some of Iran’s sensitive nuclear program computers were reportedly affected by it, which targeted programmable logic controllers, or PLCs. When Stuxnet found a targeted PLC, it injected its own code into it, concealed itself and the alterations it made; Stuxnet caused the computer system to misdirect the controlled process.
Enormous hype surrounded the discovery of the Stuxnet worm. The so-called military-grade malware may have been an advanced threat, showing a number of flaws in many layers of security processes, but Sophos will remember the Stuxnet worm more for its media impact than its effect on global politics or industry.
Despite the increasing sophistication and availability of alternatives, simple passwords remain the most common form of user authentication. Many online sites and services continue to rely on passwords alone to prove that the person interacting with them is who they claim to be. Weaknesses in this approach represent a serious hole in security.
In the last few years, we’ve witnessed a radical change in the way we access and use the Internet. The rapid upswing in sophistication of mobile technology resulted in a swift change in the way we provide mobile content and interact with it. However, this change brings with it a wealth of new problems for security. In our new, always-connected age, maintaining the integrity and privacy of networks, business data and personal information is increasingly important and difficult.
Facebook, by far the largest social networking system and the most targeted by cyber criminals, has a major problem in the form of its app system. Any user can create an application, with a wide range of powers to interact with data stored on user pages and cross-site messaging systems, and these applications, like survey scams, can then be installed and run on any users’ page.
In addition to the application problem, Facebook comes under regular criticism for its provision, implementation and explanation of user privacy features. Directions for setting privacy preferences are vague and unclear — if and when they’re provided. Plus, once uploaded, information and content may be difficult or impossible to remove. Facebook and other social network operators would be well advised to impose a comprehensive “opt-in” system for all user content.
Cyber criminals tend to target Microsoft, because its Office and Internet Explorer solutions are ubiquitous. Many users view this software as an integral part of the Windows platform, rather than separate software that may need a separate regime of updating and patching. Lately, cyber crooks also targeted Adobe to enable malware distribution, as its PDF Reader and Flash player are also widely, if not universally, installed.
Though we’d like to think removable media, such as flash drives, network cables and Wi-Fi connections have replaced discs, they’re still used and remain a significant exposure point.
The USB flash drive is now the method of choice for easy sharing of files between people in the same physical location. Fast, capacious, robust and cheap, they’re in widespread use in just about every sphere of computing. And of course, they’ve become a prime target for malware authors. Modern malware — including high profile examples such as Conficker and Stuxnet — exploit USB drives to automatically run when inserted into a target computer. Stuxnet took it one step further and exploited an unpatched security vulnerability to bypass even the need for “AutoPlay” to be enabled.
While permanent media such as CDs and DVDs don’t provide as much opportunity for infection by malware authors, they can still transmit malware — whether explicitly infected or accidentally when copying files onto the disks. The media is most risky as a data loss format. It’s easy for disgruntled employees to download valuable data to CDs and DVDs and walk out the door, as the U.S. government learned this year when data sneaked out in this way sparked the ongoing WikiLeaks saga.
Overall, Windows 7 provides a secure environment, but there’s still room for improvement. When the first few versions of Windows XP came out, there were much more serious issues than with Windows 7 — and many were fixed with Service Pack 2. Microsoft plans to release Windows 7 service pack 1 in 2011. However, numerous security fixes have been already released as part of the Patch Tuesday program.
Since fewer Macs are used in corporate environments, the Mac is a smaller target upon which cyber criminals can focus. As a result, the Mac malware problem is a tiny fraction of that seen on the Windows platform. Nevertheless, malware continues to emerge on a regular basis. And even without as many opportunities to infect and spread across platforms, Mac users are still vulnerable to the scams and tricks used to persuade and pressure them into installing suspect software, to open up their systems to remote access, or to hand over their sensitive data.
Despite the continuing presence of threats via movable hardware, the Web is by far the biggest opportunity for malware infection. It transmits e-mails bearing malicious links and attachments, websites carrying exploits targeting browsers and other software, drive-by downloads, phishing scams, questionable storefront operations, and all the other malice of the cyber world.
