Security analysts have been predicting the emergence of mobile malware for many years.
In 2011, the criminals have finally come through by attacking Google's popular Android OS. Meanwhile, the sophistication of Stuxnet — a nasty piece of code that infected a nuclear power facility — has alarmed researchers who believe governments are stockpiling tools for cyberwar. Looking ahead, it seems a cataclysmic Cloud failure is just around the corner.
MOBILE MALWARE, WINDOWS AND STUXNET Speculation is mounting that the recent discovery of a host of rootkit apps for Android devices, dubbed DreamDroid, signals a new major target for attackers beyond Windows.
Mobile phones have largely escaped the attention of attackers for the past decade, says Mikko Hypponen, chief security researcher at Finnish antivirus company F-Secure. But he expects that to change.
“We will see more attacks on Android.” he says,adding that unlocked iPhones are a worthy target too. “There will be copycats of the attacks we've seen,and possibly even exploit-based conceptions.” But unlike Windows environments, which can be compromised just by visiting a rigged website, most mobile victims still need to install the threat.
That the “low hanging fruit” — Windows XP — still runs on about half of the world's desktops is another reason there won't be a tidal shift to other platforms just yet, says Hypponen. “They have plenty of time to attack iOS, Android and other platforms when XP has gone. So long as Windows XP is there, it makes sense to target that and only that.”
Russian antivirus czar, Eugene Kaspersky also expects more attention to be paid to Android. He even predicts there will be an all out war between those with Windows skills and the younger, up and coming hackers with Android knowledge.
“Cyber criminals will be forced to move onto Android, because most home users don't need Microsoft Office. They need the Web — for social networks, for news, pictures. Smart phones and tablets. That's what they need,” says Kaspersky.
Exactly when that occurs is still up for debate.Hypponen expects the shift to happen once Windows 7 becomes the most widely used operating system,about 2013.
“Windows 7 is much harder to target and maybe then some of the current attackers realise there are other operating systems out there, including the mobile ones,” he says. When the shift does occur, Kaspersky envisions an actual "physical conflict" between the "old school Windows criminals" and younger Android developers. Windows cyber criminals will initially attempt to employ Android developers.
"The new generation — the Android criminals — will recognise they don't need management because they can do everything themselves."
Meanwhile Stuxnet, the malware discovered in one of Iran's uranium enrichment plants, is so sophisticated and complex, security observers have grudgingly praised its designers and suggested it was likely created by a government cyberwarfare team.
“The exploit parts were definitely written by somebody or somebodies who knew what they were doing, for, you know, one of the top researchers out there, and there's not that big a fish bowl to choose from,” says HD Moore, CSO for vulnerability management and penetration testing firm Rapid7.
Kaspersky believes Stuxnet was the result of a “multi-million dollar project" and expects to see similar malware capabilities developed in future. “To develop such a complicated piece of malware,which had access to a lot of data, and help from outside. Criminal malware is much cheaper to develop than a Stuxnet attack.”
Hypponen predicts it's a sign of things to come.“I'm confident we're starting to see the beginnings of a cyber arms race and developed nations are starting to develop a stockpile of these cyber arms.”
Whether Australian critical infrastructure providers can ever be prepared for an attack of this nature is another matter. “It's a tough ask to say that Australian infrastructure organisations should be geared up to fend off an attack that sophisticated and determined. But it's certainly worth doing some war-gaming on a similar scenario,” says James Turner, IBRS security industry analyst.
THE NETWORK Having already a found gaping hole in the underlying infrastructure that supports much of the world's networks, Moore's fear that it may be the cause of a major disruption could be well placed.
“If you look at what network infrastructure looks like these days, it's awful and it's not going to get better any time soon,” Moore says.
Moore's VXWorks WDB agent debugging tool,which he unveiled in 2010, revealed a serious flaw in an embedded operating system (OS) developed by Wind River, a subsidiary of Intel.
Like its parent, it was inside everything from space explorer equipment to defence aircraft. Dozens of telecoms equipment makers were vulnerable,including Alcatel-Lucent, Ericsson and Motorola, as were hardware and router makers, such as HP, EMC,Brocade, Dell and Cisco.
A major risk stems from a persistent avoidance of patching these embedded devices.
“The number of machines that exposed their build date in the firmware is about 250,000 of that 3.1 billion,” says Moore, referring to his scan of “almost” every IP address on the internet. “250,000 is a small sample, but if you just look at Cisco routers, more than 55 to 58 per cent of those hadn't been updated since 2007.
“You have four years' of unpatched routers hanging out out there that make up the majority of routers, since it's Cisco.”
HOME GROWN THREATS For local security industry analysts, however, it is people, processes and trust which are are the major risks in the coming year.
“In Australia everybody thinks that the economic good times are back and here to stay and I'm not seeing sufficient planning,” says IBRS' Turner.
“My concern is that as these projects are rolled out,the pressure will be on for fast delivery and technical rollouts will be lobbed over to the IT security people who are told, ‘we're going live tomorrow, you need to certify this now’.
“We'll suddenly be back to the same old situation of security being an afterthought and a bolt-on,” he says. The byproduct of haste will be insecure websites, poorly designed mobility solutions, and overlooked information asset risks.
Jason Edelstein, chief technology officer for security firm, Sense of Security, believes insider threats are still not treated seriously enough.
“While there is a lot of evidence to support this risk, most organisations ‘trust’ their staff and believe it will not happen to them,” says Edelstein. “We are too often called in to conduct the forensic postmortem following the theft of intellectual property or the actions of a disgruntled employee.”
Gartner’s Walls takes a slightly longer view,believing that the origins of insider threats businesses face today stem from placing too much faith in technological solutions and failing to invest in people.
“Many years ago we bought into this idea that through IT we could reduce our reliance on individuals,” he says, pointing to the so-called knowledge management systemsthe sought to capture tacit employee knowledge.
CLOUD Google, Microsoft, Amazon and Salesforce.com have yet to suffer a major data breach, but observers say it's only a matter of time.
“We're seeing mostly large retail establishments being compromised, but I wouldn't be surprised if we see something like Amazon EC2's back-end databases get leaked,” speculates Moore, who also founded the Metaspoilt Framework, an open source penetration testing solution.
When it does happen, Gartner's security and risk research director, Andrew Walls, believes the fallout will demonstrate just how little knowledge end-users have of the services they've entrusted their data to. “Our expectation is that we're going to see some major corporate hits through cascading failures in the Cloud,” says Walls.
While these vendors may offer superior security to many end-users, they still lack transparency, he warns. “In the security world, if we have an unknown risk, we have to assume it is a high risk. If we can't get our hands around it, we have to assume it is really dangerous.”
“When we get that transparency, you can really start to do risk management. You can quantify the risk to some extent.”