Happy hackers in the holiday season
"Social engineering is still the weakest part of the equation," said Stacey Lum, CEO of security vendor InfoExpress.
But with the shopping season nearing its end, the only real attack so far has come from Navidad, a virus that in two months' time became the seventh most prevalently reported virus on anti-virus vendor Sophos' list of top viruses for the year.
"Hackers are smart," said Graham Cluley, senior technology officer at Sophos, in London. "If you say to users 'watch out for this time of year,' the hackers will wait until right after this time of year. Users should be equally paranoid all the time."
And, all experts agreed, users should prepare for an even knottier year coming, as hackers are getting more sophisticated, both technologically and socially.
"It has surprised me how savvy some of the hacks have been," said ISS' Rouland. "They know economics, shutting down a Web site on the day of an IPO [initial public offering] and targeting Christmas for credit card hacks."
Others said the schemes being used by hackers lately have shown a step up in sophistication. One security expert said some of the new attacks move far beyond the simple e-mail attachments that dominated this year. He cited the Bymer worm, which, similar to Trinity Version 3, is an automated attack worm that scans for certain types of servers with vulnerabilities and implants itself on the weak systems, increasing the efficiencies of hacking.
Other worms, such as the year's most prevalent virus, Kakworm, and the recently discovered Forgotten.A, up the clever quotient by launching when an e-mail is opened, not the attachment.
Experts also worry about chat clients in the coming year. They provide nearly total anonymity, they can quickly and anonymously send rogue files to other chat clients or chat servers and the companies that run them, and the networks are always available.
Another headache for next year, ironically, will be encryption. Virtual private networks for broadband users and increased acceptance of encrypted e-mail mean sentries at the gateways won't see malicious code and will let the encrypted bits waltz in or out the front door.
"There's no easy answer to this," said Sophos' Cluley. "If something like ILoveYou happened in a world where encrypted e-mail was accepted, it could have been ... catastrophic."
What can enterprise administrators do? This latest round of malcontentment could be enough to stir up paranoia and despondency among IT managers, but @stake's Weld Pond preached calm and vigilance in the face of what looks like impending chaos.
"Awareness is way up. That's good, especially with privacy. Users are getting cynical," said Pond, the company's R&D manager. "You know car manufacturers are required to recall products when they fail. Not so in software or the Internet yet. So you have to challenge your vendors. Assume security in their products is bad and ask them what they're doing about it. Be disciplined in your practices. Don't act without thinking."
