This article written by Campbell Taylor - 'Global', is a review of the information learnt from a one day visit to McAfee and includes personal observations or further information that he felt were useful to the overall article. He refers to malicious activity as a term to cover the range of activity that includes worms, viruses, backdoors, Trojans, and exploits. Italics indicate a personal observation or comment.
In December 2004 I was invited to a one day workshop at McAfee's offices and AVERT lab at Aylesbury in England . As you are probably aware McAfee is an anti-virus (AV) vendor and AVERT ( Anti-Virus Emergency Response Team) is McAfee's AV research lab.
This visit is the basis for the information in this document and is split into 4 parts:
1) THREAT TRENDS
2) SECURITY TRENDS
3) SOME OF TODAY'S SECURITY RESPONSES
4) AVERT LAB VISIT & USEFUL WEBSITES
Infection by Browsing
Browsing looks set to become a bigger method of infection by a virus in the near future but there was also concern about the potential for a ‘media independent propagation by a virus', that I found very interesting.
Media Independent propagation
By media independent I mean that the virus is not constrained to travelling over any specific media like Ethernet or via other physical infrastructure installations. McAfee's research showed a security risk with wireless network deployment which is discussed in the Security Trends section of this document.
So what happens if a virus or worm were able to infect a desktop via any common method and that desktop was part of a wired and wireless network? Instead of just searching the fixed wire LAN for targets, the virus/worm looks for wireless networks that are of sufficient strength to allow it to jump into that network.
You can draw up any number of implications from this but my personal observation is that this means you have to consider the wireless attack vector as seriously as the fixed wire attack vector. This reinforces the concept that the network perimeter is no longer based on the Internet/Corporate LAN perimeter and instead it now sits wherever interaction between the host machine and foreign material exists. This could be the USB memory key from home, files accessed on a compromised server or the web browser accessing a website.An interesting observation from the McAfee researcher was that this would mean a virus/worm distribution starting to follow a more biological distribution. In other words you would see concentrations of the virus in metropolitan areas and along key meeting places like cyber cafes or hotspots.
Distributed Denial of Service (DDos)
DDoS attacks are seen as continuing threat because of the involvement of criminals in the malicious hacker/cracker world. Using DDoS for extortion provides criminals with a remote control method of raising capital.
Virus writers are starting to instruct their bot armies to coordinate their time keeping by accessing Internet based time servers. This means that all bots are using a consistent time reference. In turn this makes any DDos that much more effective than relying on independent sources of time reference.
As a personal note, Network administrators and IT security people might consider who needs access to Internet based Time servers. You may think about applying an access control list (ACL) that only permits NTP from one specified server in your network and denying all other NTP traffic. The objective is to reduce the chances of any of your machines being used as part of a bot army for DDos attacks.
This was highlighted as a significant likely trend in the near future and is part of the increase in Phishing attacks that have been intercepted by MessageLabs. MessageLabs November newsletter talks about Phishing: http://www.messagelabs.com/emailthreats/intelligence/reports/monthlies/november04/
SOCKS used in sophisticated identify theft
McAfee did not go into a lot of detail about this but they pointed out that SOCKS is being used by malicious hackers to bypass corporate firewalls because SOCKS is a proxy service. I don't know much about SOCKS so this is more of a heads up about technologies being used maliciously in the connected world.
Privacy versus security
One of the speakers raised the challenge of privacy versus security. Here the challenge is promoting the use of encrypted traffic to provide protection for data whilst in transit but then the encrypted traffic is more difficult to scan with AV products. In some UK government networks no encrypted traffic is allowed so that all traffic can be scanned.
In my opinion this is going to become more of an issue as consumers and corporates create a demand for the perceived security of HTTPS, for example.
Flexibility versus security
In the McAfee speaker's words this is about “ease of use versus ease of abuse”. If security makes IT too difficult to use effectively then end users will circumvent security.
Sticky notes with passwords on the monitor anyone?