What Scares Me About Security in 2007

From eWeek.com

Opinion: 2007 is the year that attackers get more creative. The low-hanging fruit is gone.

I'm always annoyed when it comes to the end-of-year retrospectives and predictions, especially the predictions. "More of the sam­e" is never an acceptable answer, even if it's true, because it's boring. But I do think that the security landscape has been changing over the last year and should accelerate in 2007.­

The "malware winter" began some time before client vulnerabilities began to shrink in urgency. There have been some pretenders to the malware-of-the-year throne, but no real winners.

We could see in 2006 the shift from mass vulnerability-based attacks, even as a rash of "zero day" attacks emerged. Almost all of these zero-day attacks affected very few users.

This is not to say that there are no threats out there, far from it. Leave an unprotected computer out there and act irresponsibly with it, and you'll be "0wned" in no time flat. But protection against these threats has gotten much better and cheaper; anyone who is interested in protecting themselves can for a reasonable amount of money.

Security vendors are even beginning to be more reasonable with their pricing. The Norton 2007 line permits you to use one copy on up to three computers. That's a big step forward for consumer protection.

But we've also been hearing for years about the more sophisticated next generation of attacks. Recently I've seen a few examples that really concern me. Consider the "man-in-the-middle" phishing attack described by Brian Krebs.

In this example, instead of hosting a real phishing site, the site runs a program that proxies for the site being phished, in this example Amazon.com. The user sees what appears to be Amazon.com in the window, and, in fact, it is Amazon.com, having passed through the phishing program on its way to the user.

The attack site just tries to get log-in info, but it could keylog a lot more than that, including credit card info. The user can even buy merchandise and get it delivered! All this particular attack needs is a better domain name.

Another "advance" in phishing came my way today from F-Secure, which identifies phishing sites based on Flash content. This allows realistic sites that can elude many anti-phishing filters.

In the long term I'm optimistic about the ability of security software to combat phishing; there's so much more that it can do, but we're still in the baby steps.

Expect to see many more attacks this year moving up the application stack, both on the client and server, as the base operating system and the browser have become much harder to attack.

On the client, attacks may find it easier to get through more narrow targets. Maybe the scariest bug I've heard of in the last few months was the Broadcom Wireless Driver Probe Response SSID Overflow from the Month of Kernel Bugs. A stranger nearby can exploit you through this over wireless!

One way to avoid phishing sites is to look for the Extended Validation certificate.

But in fact, as Oliver Friedrichs of Symantec Security Response says, the real action in vulnerabilities and exploits is on the server, where more than 70 percent of vulnerabilities are from Web apps, PHP, Perl and similar systems. Many of the sites with these vulnerabilities are front ends for important databases.

With such potential you can expect to see Web app worms going nuts this year, causing massive damage. And since PHP has suffered them before and so much research is focused on it, expect the attacks to center on those servers. If you run a PHP server, better keep up with those updates.

It's going to be a harder year for security in 2007 because it will be harder to explain problems, and perhaps harder to write tools to detect them. But part of this is because we've already made things hard for the bad guys.