News

Opinion: Social Engineering Still Alive and Kicking

• By Russ Cooper
• May 17, 2005

Visitors to the Hushmail site were instead sent to a server co-opted by the attacker. Network Solutions said it's implemented new security measures to ensure that such an "isolated event" doesn't happen again.

There are so many things to go into here it's hard to decide where to start. First, the existing security measures Network Solutions purports to have in place weren't followed; what's the point in implementing new measures if the old ones can't be followed?

Second, it demonstrates the frailty of the entire Internet. A single site, with a single point to alter such significant information, can lead to an entire company's online presence being altered or removed. No amount of backup could have prevented this. It's solely in the hands of Network Solutions to ensure this sort of thing can't happen. Multi- billion dollar companies must be able to rely on Network Solutions to prevent such an attack. Think about that the next time you're preparing your sales forecasts for online business.

Although the redirection didn't last for very long, and despite the fact that Hushmail has stated that no data was at risk or compromised in the process, the action has had -- and will continue to have -- a significant impact on Hushmail's reputation and credibility. This will become an urban legend, something talked about for many years to come.

Social engineering targeting customer support personnel is one of the oldest forms of attack. That a company the size and importance of Network Solutions could be vulnerable to such an attack demonstrates a shocking lack of sound security practices and judgment on its part.

Hacking

According to a report by Zone-H, a site that monitors hacking activity, Web server attacks and Website defacements rose by 36 percent in 2004. Last year, there were nearly 400,000 attacks on network servers and corporate websites worldwide. Currently, 2,500 Web servers are hacked daily and Zone-H estimates that these numbers could rise to 80,000 per day once third-generation VoIP phones become mainstream. Zone-H also reported 186 attacks on U.S. government servers and 49 attacks on U.S. military servers.

It's important to note that Zone-H, www.zone-h.com, relies solely upon reports from others for its data, leading to questions about its overall accuracy. Previously, an outage of Zone-H's site would lead to a reduction in reported defacements. Whether it was caused by an inability to get hacker e-mail or a slowdown in reporting by hackers who saw that the site was down is unclear.

That said, it's safe to assume that defacements continue to increase. Website defacement is often seen as a "rite of passage" for hackers. Generally, a would-be hacker starts by defacing some easily attacked Websites (like default Apache installs or those using the scripting language PHP) in an attempt to gain some credibility within the hacking community. After a year or two, individuals move out of the defacement attack space and into more sophisticated attack methods.

Malicious Code

McAfee and Kaspersky Labs have recently published reports agreeing with a Symantec study that found mass-mailing viruses on the decline as virus writers switch to bots and Trojans. The Kaspersky report describes botnets as "the greatest threat to the Internet as we know it" and names their detection and prevention as a priority for the technology industry. The McAfee report finds that the motivation for botnets and Trojans is profit; the malware can steal private data or create a platform for spam, malware and denial of service extortion. Kaspersky estimates that 50,000 new bots are created each month, with a current total of around several million.

According to anti-virus Vendor Panda, the number of new viruses has almost tripled in the last six months. The spike is attributed to the many variants of viruses being released, simply repackaged with different encryption techniques.

Russ Cooper is a Senior Information Security Analyst with Cybertrust, Inc., www.cybertrust.com. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most- recognized security experts, he's often quoted by major media outlets on security issues.

Russ Cooper's Security Watch column appears every Monday in the Redmond magazine/ENT Security Watch e-mail newsletter. Click here to subscribe.