Battling the menace of cyber security

The race for greater protection against cyber threats is on, as businesses continue to fight against unethical and malicious hackers, phishers and spammers.
Written by Aaron Tan, Contributor and  Vivian Yeo, Contributor

Security continues to top the agenda at all levels of government and business.

Cyber security has been cast into the spotlight, as governments beef up their border defenses through the use of technologies such as biometrics. Doomsday predictions of power grids being shut down by cyber terrorists have not been fulfilled to date, but other forms of security breaches are taking place on a large scale. ZDNet Asia identifies the top security issues that businesses will continue to face in 2006.

Spam war wages on
Microsoft Chairman Bill Gates was "taken to task" recently for a prediction he made in January 2004 about spam. Security firm Sophos noted that his statement--the complete eradication of spam by 2006--held no water, and instead claimed that spam will continue to be a major problem in the year ahead.

According to Symantec's eighth biannual Internet Security Threat Report, spam constituted 61 percent of e-mail during the first half of 2005. Research earlier this year from Mirapoint also indicated that 33 percent of e-mail in corporate inboxes is spam.

The United States remains the number one country in terms of origin of spam, but Asian countries like South Korea and China are fast becoming growing contributors to the global problem. One reason for this could be the rise in the number of hijacked PCs controlled by 'bot-herders' to spam other computers, noted Adrian Tham, Symantec's systems engineer manager for Southeast Asia.

Governments worldwide are not taking the spam issue lightly. Relevant authorities in the United States and United Kingdom have agreed to share best practices on spam, and meet regularly to fight unsolicited messages via e-mail or mobile devices. In April, 12 countries in the Asia-Pacific region signed a pact to cooperate in combating spam. Legislation is also called into use in several countries, including the United States and Australia. Singapore has proposed a spam control bill.

And while the spam issue is unlikely to die down anytime soon, Internet users around the world have to grapple with new forms of spam, including mobile spam and spim or spam sent over instant messaging.

Given the increasing adoption of wireless technologies and rising rates of broadband and mobile penetration, it is hardly any wonder that spam will continue to rocket--at least until a technological solution can be found.

Instant backdoor to crime
Enterprise users now exchange some 1 billion instant messages daily, and instant messaging (IM) is set to follow the footsteps of e-mail in becoming a powerful mode of business communication.

However, just as the ubiquitous e-mail has been exploited by malware authors, IM is also increasingly facing security threats. Security player IMlogic reported that a 3,295-percent year-on-year increase in the number of threats was detected for IM and peer-to-peer networks in the third quarter of 2005.

To complicate matters, sophisticated and targeted IM attacks are proliferating at the same time. They even have the ability to send messages in the victim's native language.

The modus operandi for IM attacks is usually infected attachments, where the worms or viruses can then propagate to IM contacts under the owner's nose. Some instant messages could contain links to fake Web sites, just like phishing baits found in e-mail messages.

Some users of America Online's AOL Instant Messenger in early December were involved in what is believed to be the first-time IM was used to trick users into activating a malicious file download. Unsuspecting users, who replied to the instant message asking if it was a virus, even received a reply that denied any malware.

Vendors are pointing to the need for IM-specific security, and are actively rolling out IM security management tools. CipherTrust launched its IronIM in November, an add-on feature to the company's IronMail family of security products. Check Point has its Integrity IM Security offering, which is a part of the security vendor's Integrity Security suite. Symantec also updated its 2006 edition of Norton Antivirus to enable scanning of IM attachments. IMlogic, on the other hand, included a real-time scanning feature in its IM Manager that uses predictive analyses, network anomaly detection and known threat profiles to manage IM threats.

Malware in the air
As more mobile warriors roam the streets with their laptops, handhelds and cellphones, mobile security will become a rising concern for IT managers who have to monitor a myriad of devices that connect to their networks. For instance, a telecommuter who contracts a virus from a hotspot network could end up introducing the same virus into his company's corporate network when he gets back to the office.

According to research firm IDC, spending on mobile security will leap from around US$100 million in 2004 to nearly US$1 billion by 2008.

"The next several years will see an increase in both the number and the sophistication of attacks targeted at mobile devices," said Brian Burke, research manager at IDC in a statement. "These attacks will impact corporate enterprises, carriers, and consumers alike, and subsequently fuel the growth of the mobile security software market."

Closer to home, Korean security solutions provider AhnLab believes that mobile viruses will cripple mobile device users in future, with more than 100 viruses already attacking mobile operating systems to date.

A typical cellphone virus could involve pranks such as deleting address book entries or spamming text messages to contacts. It could even put cellphones on autodial, by calling numbers quickly one after another to jam a cellphone service.

With mobile payment, the stakes are even higher, as personal information is now subjected to theft. Hackers controlling the mobile malware could theoretically transmit credit card details back over mobile data networks.

Coupled with the fact that mobile devices tend to get stolen and misplaced easily, the scenario of placing tons of corporate data in the hands of someone who picks up the devices is a reality today. And it doesn't help that mobile device makers have focused too much on features and aesthetics, and less on security.

Escalating problems
Unlike yesteryear, today's Internet crimes and abuse of computer systems have gone beyond hacking and Web defacements by college kids simply looking for bragging rights. Today, the bigger concerns of cyber crime are to do with the millions of dollars that can be earned by stealing someone's credit card numbers to make unauthorized transactions.

Spam has also gone beyond touting blue pills. Spam e-mail masquerading as Trojan worms could cede control of a PC to hackers, who could use zombie PCs to distribute spam, or make it part of a larger network, called a botnet, to take down bigger servers.

Phishing attacks have been the central concern of many users of Internet banking and online auction Web sites in the past year. These phishing sites that look almost like the genuine ones are operated by crime syndicates hunting for credit card numbers when unsuspecting users enter them into such phishing sites.

As an indicator of the scale of the identity theft problem, a survey conducted by research firm Gartner revealed that between May 2004 and May 2005, an estimated 73 million U.S. adults who use the Internet said they definitely, or think, they received an average of more than 50 phishing e-mails in the past year. And the number does not even include victims in other countries.

Additionally, 2.4 million online consumers have reported losing money directly because of phishing attacks. Of these, approximately 1.2 million consumers lost US$929 million during the year preceding the survey. Survey participants indicated most of the money stolen was repaid by banks and credit cards.

Editorial standards