What Scares Me About Security in 2007

By Larry Seltzer  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

Opinion: 2007 is the year that attackers get more creative. The low-hanging fruit is gone.

I'm always annoyed when it comes to the end-of-year retrospectives and predictions, especially the predictions. "More of the same" is never an acceptable answer, even if it's true, because it's boring. But I do think that the security landscape has been changing over the last year and should accelerate in 2007.

The "malware winter" began some time before client vulnerabilities began to shrink in urgency. There have been some pretenders to the malware-of-the-year throne, but no real winners.

We could see in 2006 the shift from mass vulnerability-based attacks, even as a rash of "zero day" attacks emerged. Almost all of these zero-day attacks affected very few users.

This is not to say that there are no threats out there, far from it. Leave an unprotected computer out there and act irresponsibly with it, and you'll be "0wned" in no time flat. But protection against these threats has gotten much better and cheaper; anyone who is interested in protecting themselves can for a reasonable amount of money.

Security vendors are even beginning to be more reasonable with their pricing. The Norton 2007 line permits you to use one copy on up to three computers. That's a big step forward for consumer protection.

But we've also been hearing for years about the more sophisticated next generation of attacks. Recently I've seen a few examples that really concern me. Consider the "man-in-the-middle" phishing attack described by Brian Krebs.

In this example, instead of hosting a real phishing site, the site runs a program that proxies for the site being phished, in this example Amazon.com. The user sees what appears to be Amazon.com in the window, and, in fact, it is Amazon.com, having passed through the phishing program on its way to the user.

The attack site just tries to get log-in info, but it could keylog a lot more than that, including credit card info. The user can even buy merchandise and get it delivered! All this particular attack needs is a better domain name.

Another "advance" in phishing came my way today from F-Secure, which identifies phishing sites based on Flash content. This allows realistic sites that can elude many anti-phishing filters.

In the long term I'm optimistic about the ability of security software to combat phishing; there's so much more that it can do, but we're still in the baby steps.

Expect to see many more attacks this year moving up the application stack, both on the client and server, as the base operating system and the browser have become much harder to attack.

On the client, attacks may find it easier to get through more narrow targets. Maybe the scariest bug I've heard of in the last few months was the Broadcom Wireless Driver Probe Response SSID Overflow from the Month of Kernel Bugs. A stranger nearby can exploit you through this over wireless!

One way to avoid phishing sites is to look for the Extended Validation certificate. Click here to read more about it.

But in fact, as Oliver Friedrichs of Symantec Security Response says, the real action in vulnerabilities and exploits is on the server, where more than 70 percent of vulnerabilities are from Web apps, PHP, Perl and similar systems. Many of the sites with these vulnerabilities are front ends for important databases.

With such potential you can expect to see Web app worms going nuts this year, causing massive damage. And since PHP has suffered them before and so much research is focused on it, expect the attacks to center on those servers. If you run a PHP server, better keep up with those updates.

It's going to be a harder year for security in 2007 because it will be harder to explain problems, and perhaps harder to write tools to detect them. But part of this is because we've already made things hard for the bad guys.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...