Top 10 security threats for 2008

In 2008 the line between cybercrime and legitimate business will blur, Australians will find out just how many data breaches occur, smartphones will attract malware, and people will decide which group is worse: social networking sites seeking to monetise page hits or identity thieves.

In 2008 the line between cybercrime and legitimate business will blur, Australians will find out just how many data breaches occur, smartphones will attract malware, and people will decide which group is worse: social networking sites seeking to monetise page hits or identity thieves.

1. Smartphones become dangerous
The iPhone blitzed the smartphone market this year, causing speculation that it will make the platform a target for cybercriminals, but it's not the only mobile platform which experts expect be targeted next year.

Today, there are just over 400 pieces of known malware for mobile platforms, most of which are designed for the Symbian operating system. However, according to researchers, mobile phone malware remains purely the domain of pranksters or script kiddies.

Nevertheless, security experts believe once ownership of smartphones increases and people begin accessing online banking via mobile phone platforms -- that is, once there is a wider adoption of more sophisticated applications and operating systems on mobile phones -- criminals will begin commercialising pranksters' earlier work.

Like the PC, the critical determinant will be known application vulnerabilities and the number of users on a particular operating platform, whether it's Windows Mobile, Symbian, OS X or Linux.

2. Web applications are holy
According to Microsoft researchers, operating system vulnerabilities are on the decline but application vulnerabilities are on the rise: threats such as rootkits, which can corrupt an operating system, can now be transferred by applications or Web-based programs, for example.

The problem for Internet users, in terms of exposure to Web-based threats, is that application security often takes a backseat to profits.

It's expected that unless developers take the responsibility of securing applications personally, more flawed applications will hit the Web, allowing opportunities for criminals to attack users.

This year also saw thousands of legitimate Web sites used to transmit malware as criminals inserted single lines of malicious code into them, designed to exploit unpatched Web browser vulnerabilities. Security firm Sophos reported that as many as 30,000 Web sites become vectors for distributing malware each day.

With the rise in use of the Web to execute malicious activity such as drive-by downloads, as well an increased presence on the Web by Australian businesses, next year will see even more sophisticated threats emerge.

3. Cybercrime is business
Like their corporate counterparts, professional cybercriminals want to cut costs by achieving greater automation in the acquisition of money and information.

Pure Hacking penetration tester Chris Gatford reckons this will be the next plateau for cybercriminals.

Although cybercriminals minimised effort by reaching victims through popular Web sites, these threats were still manually planted. To some extent, the Russian pillow-talking software, which chats with victims online in order to extract personal information -- though technically social-engineering -- could be considered one manifestation of the automation trend.

However, Gatford said a worm with a sole purpose of injecting malicious code into Web sites in order to infect Web clients will likely emerge.

4. Australians will become aware of their exposures to mass data breaches
Australians are kept in the dark about any data breaches that occur today. Custodians of personal information, whether a government departments or corporations, are not required to alert clients if and when a breach which may impact privacy occurs.

Instances similar to the UK's recent data breach will be shared with the public if plans to introduce data breach disclosure legislation are realised in 2008. The Democrats have stated that amendments to the Privacy Act will be proposed in Parliament in March next year.

Since the introduction of California's data breach disclosure legislation in the US, SB 1386, over 200 million records containing personal or financial information have been compromised, according to US privacy watchdog, The Privacy Rights Clearing House.

Left in trains, planes and automobiles by distracted workers in transit, laptops have been the weakest link in the US, followed by lost or stolen backup tapes.

5. Criminal convictions and surveillance
The FBI, through "Operation BotRoast" has nabbed and convicted dozens of botnet operators over the past year. If Australia follows suit with US laws, we may see the introduction of penalties against identity thieves.

Australians will be subject to greater monitoring, thanks to the increased surveillance capabilities of government authorities and the so-called threat of terrorism. The APEC meeting this year saw Sydney equipped with vast numbers of street surveillance cameras, while mapping and satellite services will help police target illegal activities, such as growing marijuana.

6. Attached to spam
In the spamming world, 2007 was the year of attachments. Word documents, PDF files, and even MP3 files were used either to carry viruses or send "pump and dump" stock spam.

The only file yet to be used is a video file but thanks to the size of such attachments, few experts expect it to be used as an attack vector.

Bradley Anstis, VP of products for Marshal Security, predicts a return to more simple forms of spam, with an emphasis on disguising the IP address messages are sent from. Botnets are expected to play a critical role in this.

7. Social networking and ID theft: your life is valuable
Will people learn that putting information on public forums is not such a great idea from a privacy perspective? Or do users simply not care about privacy? Either Generation Y will learn how to protect their privacy next year, or the world will learn whether "digital natives" really give two hoots about privacy.

However it's yet to be decided which group is more harmful to privacy: social networking companies seeking to make a buck by tracking your every move, or identity thieves who use social networks to research people before launching an attack. Either way, users are a commodity in the mine of humanity.

8. Online banking and trojans
With banks increasingly adopting two-factor authentication and educating consumers on how to correctly access their bank accounts online, criminals have turned to trojans that undermine all the advice banks have offered.

Expect more malware designed to steal financial information next year. On the other side, expect to hear more about behavioural analysis technology from security vendors, since standard signature-based AV software is increasingly failing to recognise variations on the same malware, but is getting better at recognising suspicious behaviour.

9. Botnets decentralise to avoid detection
An interesting quirk in the tale of the botnet associated with the Storm worm or Zhetalin Gang is that it got too big for its own good.

The attention given to the Storm worm compromised the secrecy of its work. However, before it scaled back operations in the second half of the year, security researchers discovered the group had split its bot network into three specialist streams: spam, denial of service, and bot herding -- that is, acquiring and controlling new bots. Each service can be rented out.

A key objective is to minimise the risk of doing business, so experts believe botnets will continue to shrink in size. Meanwhile technology has already enabled decentralised control techniques, which help botnet operators evade detection.

10. Grey area business
Researchers at security firm BitDefender believe that next year will bring more businesses that deal in the realm of semi-legitimate enterprise -- the so-called "grey trade".

Its researchers recently put the spotlight on a Swedish online firm, Wakenet, which is selling fake compression software under the name "WinZix" -- playing on the popular free version, WinZip -- barely functional BitTorrent clients, and fake codecs used to stream video content.

The company's intent, claims BitDefender researchers, is to boost ad revenue by delivering pop ups to users with the software, asking for payments for the software, and allowing the software distributors to unleash malware to its clients.

One grey, tending-towards-black business, the Russian Business Network, which sold "MPack" -- pre-packaged malicious code -- to those wishing to infect computers, dropped off the radar late in the year. No one knows for sure where it relocated to, but some speculate its operations moved to China. It had been pegged for hosting child pornography sites and hacking software distribution sites. European telcos continued to support RBN until this year because the company was a high value customer, but security experts at Trend Micro believe the group had "overreached" itself which caused its upstream providers to switch off support.