Well, here we are, the start of 2012. If you’re like me, you’ve read a bunch of stories online about the top news stories, movies and books of 2011. But what about the top 10 cyber security stories of 2011? That’s what I am here for, to give you the rundown!
This is a very condensed version of an article that will appear in this month’s Virus Bulletin. To get the full details rather than my snippets here, you’ll need to refer to that.
Oh, yeah, in full disclosure, this is really the top 10 stories of January through the first half of November – in order to meet my editing deadline. Now without further ado, here they are.
For years, the spamming botnet with the biggest footprint was the Rustock botnet. Its characteristics were to “wake up” at a specific time each time day, send tons of spam messages, and go back to sleep. But on March 16, 2011, the US Department of Justice, working with Microsoft, Shadowserver, and some other partners obtained a court order to seize command-and-control servers that were responsible for running the Rustock botnet in the United States. Virtually overnight, spam from Rustock plummeted and has never recovered:
Starting in late 2010 and continuing throughout 2011, something odd happened: spam started to decline. And it didn’t just decline a little, it declined a lot: What caused this steep decline? The answer: nobody knows for certain. But what we do know is this: the battle against spam isn’t over, it’s just shifted from one form to another.
In March, some disturbing information leaked out of RSA, the company that has long been associated with security. These are the guys that make the key fobs that many of use to get onto our corporate network using two-factor authentication. Somebody, somewhere, sent an RSA employee – not a high level employee, just a regular ham-and-egger like you and me – an email with an attachment. The subject line read something like “2011 Recruitment Plan.” The employee opened opened the attached Excel file, and their computer became infected with a piece of malware when it exploited a previously undocumented Flash vulnerability. The intruders were now inside.
RSA wouldn’t be the last big-name corporation to get hacked using a sophisticated attack. Large government contractors like Lockheed Martin and Seagate Technology were hit, as well as the Internal Revenue Service and Freddie Mac.
In September 2011, McAfee released a report, in conjunction with Vanity Fair magazine, about Operation ShadyRAT. In the report, McAfee studied a bunch of cyber intrusions where numerous victims were targeted – government agencies in the United States, Taiwan, South Korea, Canada; large corporations in a number of countries; and non-profits such as the International Olympic Committee. Why were these entities targeted?
“All the signs point to China,” says James A. Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, adding, “Who else spies on Taiwan?”
Regardless of whoever is behind the attacks, 2011 saw a huge increase of the detection of APTs – Advanced Persistent Threats. You could classify 2011 as the “Year of the Hack.”
Especially when it comes to story #5.
Anonymous is an international hacking group, spread through the Internet, initiating active civil disobedience, while attempting to maintain anonymity. CNN has said that they are one of the successors to WikiLeaks. In April, Sony announced that it had been victims of a hack where a whole bunch of user information was stolen from their servers and posted online. In June, a suspected splinter group of Anonymous – LulzSec – launched their own hacking attacks. They went after the websites of the CIA, Sony, Fox News, PBS, and others. During the summer, it seemed like there was a hack attack each week and what was newsworthy was not that a company was hacked, but that a week went by without an attack. The hack attacks of LulzSec and Anonymous eventually quieted down but Anonymous still continues to operate (as I talked about in another post).
We’ll see what happens in 2012.
For years, Microsoft has devoted plenty of resources to stamping out the problem of malware that infects its operating systems. Fair or not, Windows has earned a reputation that it is insecure and susceptible to malware. By contrast, Apple has historically prided itself on the belief that it is not prone to malware. They even released television commercials implying that very thing.
But this year, something odd happened – malware appeared for the Mac. And users were falling for it.
It’s not that malware never existed for the Mac, it has. It’s just that this year it became really obvious malware exists for the Mac because of its prevalence.
The good news in all of this is that Apple did respond to the problem fairly quickly and is now starting to get into the rhythm of security releases. Like anything, once you become popular, you start to become a target for online criminals.
Mobile malware is still in its infancy and hasn’t yet taken off, but it is growing. And just like the PC became a target of malware writers because of its ubiquity and open systems (anyone could write applications), smartphones are becoming targets of malware writers where the systems are ubiquitous and the platform is open. And the fastest growing target of malware writers is Google’s Android.
Does this mean that smart phones, particularly Android, are especially vulnerable? Not exactly. The smartphone space is still fairly new, but luckily, that still works in its favor. As long as you buy or install applications from reputable places, you are not going to have much of a problem (most of the time).
Microsoft decided to examine the threat of zero-days and examine whether the fears were justified; and also as important, to put it into context relative to all of the other threats that are out there.
The analysis revealed that zero-day threats account for much less than 1% of all malware threats out there. The fact of the matter is that for all of the hype that exists about it, the vast majority of threats have defenses already in place. You can protect yourself if you just follow basic steps like keeping your computer software up-to-date, running a firewall, and running antivirus software.
The University of California performed an experiment where they started buying spam from spam campaigns and then started looking at credit card transactions. Like most people on the planet, you and I are only vaguely aware of how this process works. You go to a website, enter in your credit information, and like magic you get your stuff a few days or weeks later. You then happily pay your credit card bill where said transaction ends up on the statement.
Instead of going after users or using technology to keep users safer, the UC proposed pressuring banks to clamping down on fraudulent banking transactions. They discovered that three banks are responsible for 3/4 of spam payments, then shutting those down represents a real disruption to the spam business.
Moving the online abuse infrastructure is relatively easy. It’s not difficult to register domains or set up botnets. However, it is time consuming and costly to negotiate payments with banks. Spammers cannot simply pick up and move banks the way they can with domains. It is a human process that has checks and balances.
In November, the FBI announced the arrest of six Estonian nationals in what some call the biggest cyber heist arrest in history. Responsible for the DNSChanger malware, which redirected unsuspecting users to rogue Internet pages, the botnet that they operated was over 4 million computers (!).
Similar to what occurred with Rustock, the rogue command-and-control servers were seized infected requests to DNS servers were replaced with legitimate ones.
Not a bad Christmas present for law enforcement.
Well, that’s the way I saw 2011. From APTs to hacking to malware to spam, there was a little something for everyone. I’ve now written a couple of these Top Ten articles, and while there is a lot of overlap, I’m always surprised by the new stories that appear and make the list.
Who knows what I’ll think is important enough to add to my 2012 list!