Targeted Threats
The year began with a bang with a targeted attack and breach affecting Google and many other known companies. Google accused the government of China of being responsible for the attacks--even involving the United States Department of State in the matter.
Dubbed , or Hydraq, depending on which source you use, the attack was unique in being allegedly state-sponsored. China denied any involvement, but a WikiLeaks leak months later suggested there might be something to the theory. The other unique aspect of the Operation Aurora attack, though, was the way the affected parties joined forces--sharing details of the attack and working collaboratively to get to the bottom of things.
A state-sponsored attack against a high-profile tech target is one variation of a targeted attack. The Stuxnet worm, however, demonstrates that there are more insidious targeted attacks to watch out for as well (it is worth noting, though, that Stuxnet is alleged to be ). Gary Egan, director of , explains, "It is quite possible that Stuxnet has ushered in the next evolutionary shift in malware: a new class of threat that is weaponized to cause real-world damage. It is also one of the most complex threats ever seen."
The Stuxnet worm exploited four separate zero-day vulnerabilities, utilized cutting-edge techniques to evade detection, and is the first rootkit known to be specifically engineered to impact programmable logic controllers (PLCs) like those used in manufacturing and production plants. Egan exclaims, "The political and societal implications of Stuxnet are far reaching."
Playing in the Sandbox
2010 can't take credit for introducing the concept of the sandbox as a security control, but it does seem to be the year that it became more widely adopted and entered the mainstream vocabulary. Products such as the Google Chrome Web browser and Adobe Reader software both embraced sandboxing as a means of preventing attacks and exploits.
The sandbox is basically a safe zone that is segregated from the rest of the application or PC. Code--such as Javascript--is allowed to run within the sandbox, but can not infect or impact the rest of the system. Using a sandbox as a security control helps these applications prevent many of the most common attacks.
Sandboxing may move beyond individual applications, though. A spokesperson for commented to say, "Fully virtualized sandboxing solutions are making their way onto the market, specifically to address Web-borne attacks that defeat even application sandboxes, including trust-based exploits against users, e.g., fake antivirus, poisoned SEO, and kernel exploits."
Banner Year for Microsoft
Microsoft broke a variety of records in 2010 when it comes to identifying and patching software vulnerabilities. Some will debate that it is a function of sloppy development and poor attention to detail, while others suggest that Microsoft has simply become much more effective at finding flaws and vulnerabilities, and much more responsive about dealing with them.
Microsoft set a few monthly high marks for the number of security bulletins , and compiled a formidable total of security bulletins for the year. Symantec's Egan says, "Related to the number of security bulletins released is the number of individual vulnerabilities fixed by Microsoft in 2010, which was nearly 100 more than what they discovered and corrected last year. By our count, the 2010 tally is 261; last year, the company patched 170 vulnerabilities."
Web Attack Toolkits
The rise of automation techniques such as Web attack toolkits continued at a dramatic pace throughout 2010. These kits lower the bar in terms of programming skill for would-be attackers--enabling even coding novices to quickly exploit new vulnerabilities, and develop sophisticated malware attacks.
Andrew Brandt, lead threat research analyst at , states, "It was a big year for customizable, highly configurable, and very slick-looking exploit kits. Exploit kits are sold to malware distributors, and can instantly turn a Web server into a drive-by download site."
The Mariposa botnet--thwarted with the help of --is a prime example of how effective and pervasive an attack can be using an attack toolkit. The leaders of the Mariposa botnet apparently had little, if any, actual programming knowledge.
Ori Eisen, CIO of , proclaims, "We are getting close to the point where all the planets align; where fraud makes the evolutionary leap from organic growth with limited success, to exponential growth with a much higher success rate because the barrier for entry is minimal, and these attacks are highly scalable."
Social Engineering Attacks
Some things never change, and one of them is that the person sitting at the keyboard is invariably the weakest link in the security chain. Another thing that will never change is that attackers will continue to recognize and exploit this fact to the best of their ability.
Rogue antivirus software has been --hard drive defrag utilities and general system performance tools--to lure naïve users into installing malicious software on their own PCs.
Symantec's Egan clarifies, "2010 saw a continuation of the trend over the last few years for malware to use one of the oldest tricks in the book: to 'con' its way onto a user's system. In other words, it convinces the victim to invite the attacker right in through the front door. Whether by pretending to be a legitimate application - such as rogue antivirus or a fake video codec - or by pretending to be something from an acquaintance of the victim - such as a socially engineered email - socially engineered attacks continued to be one of the easiest ways onto a user's system in 2010."
Webroot's Brandt commented, "It's no surprise that rogue AV is a big moneymaker for malware distributors, so it also should come as no surprise that said distributors have been investing in not only generating new names for their rogues, but also in making them much harder for a casual observer to identify, let alone get rid of."
These are just a handful of the big security stories from 2010. Social networking sites such as Facebook and Twitter present a target-rich environment filled with unsuspecting victims whose guard is already down since the purpose of such sites is to share information socially. As we enter 2011, these social networking threats will continue, as will new attacks aimed at mobile gadgets like smartphones and tablets.
Security vendors will most certainly develop new tools and defenses to protect against these threats. But, no amount of security software can replace a healthy dose of cautious skepticism and an ounce of common sense.