SANS: VoIP, zero-day threats surge

By Bill Brenner, Senior News Writer 15 Nov 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers are using quieter, more targeted tactics that have given them much more success. Allan Paller, research director, SANS Institute

Product vulnerabilities continue to top the Bethesda, Md.-based institute's list of threats, but human error has also made the list, given users' susceptibility to phishing scams.

"Smart people are falling for phishing because attackers are coming up with more sophisticated techniques," said Allan Paller, research director at the SANS Institute. For example, he said, "If a company is making plans to go public, phishers can send emails to employees that look like a progress report on the IPO, including the name of the CEO. The email looks the way it's supposed to and it's trusted."

Among this year's top 20 are six major attack trends:

• A surge in zero-day attacks that go beyond Internet Explorer to target other Microsoft software.
• A rapid growth in attacks exploiting vulnerabilities in ubiquitous Microsoft Office products such as PowerPoint and Excel.
• A continued growth in targeted attacks.
• Increased phishing attacks against military and government contractor sites.
• A surge in VOIP (Voice over Internet Protocol) attacks in which attackers can intercept and sell company meeting minutes, inject misleading messages or create massive outages in the old phone network.
• Ever-increasing attacks against Web application flaws.

Paller said IT security officers shouldn't underestimate the ability of hackers to exploit VoIP for financial gain.

"Law enforcement has told me they're dealing with multiple active cases where someone took over a company's VoIP system, stole the minutes, then they turned around and sold them," he said. "VoIP systems are a front door into a program that runs entire phone systems. Attackers can exploit VoIP to change what you hear and can cause huge outages."

SANS top 20 internet security attack targets: Operating Systems: 1. Internet Explorer 2. Windows libraries 3. Microsoft Office 4. Windows services 5. Windows configuration weaknesses 6. Mac OS X 7. UNIX configuration weaknesses  Cross-Platform Applications:   8. Web applications 9. Database software 10. P2P file sharing applications 11. Instant messaging 12. Media players 13. DNS servers 14. Backup software 15. Security, enterprise, and directory management servers   Network Devices: 16. VoIP servers and phones 17. Network and other devices common configuration weaknesses   Security Policy and Personnel: 18. Excessive user rights and unauthorized devices 19. Users (phishing/spear phishing)   Special Section: 20. Zero-day attacks   For more information, visit the SANS Institute Web site.

He said another big trend this year is the increased penetration of government systems through targeted attacks that use phishing and other tactics.

"People think things are better because they haven't seen many worm attacks," Paller said. "But in reality, attackers are using quieter, more targeted tactics that have given them much more success. As targeted attacks become the main economic threat, phishing really comes into play."

Human error made it onto the top 20 because of all the successful attacks that required involvement from the user, he said. Meanwhile, last year's big trend of increased attacks against Web application flaws continued this year.

In a written statement, SANS said changes to this year's list doesn't mean attackers have stopped using tactics and flaws announced in earlier reports. For example, Apple computers are being increasingly targeted, as was previously predicted. "In reality, few attack patterns are ever discarded," Paller said. "The attacks are automated and continue to be used, but many organizations have established defensive strategies to minimize the risk from the older attack patterns."

Going forward, he said, attacks will increase against cell phones and appliances such as digital printers.

Paller said IT administrators should use the SANS list to adjust their network defenses and get upper management support for new security procedures and investments.

"Your first stop should be the CEO's office," Paller said. "Show them the information and tell them you don't have the capacity to beat this. Ask them to get together with other CEOs and really put pressure on the industry to bake security into their products."

Tags: Web Application Security,  Network Protocols and Security,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Scanning with N-Stalker offers basic Web application security assessment Attackers target PDF, DirectShow flaws with malicious banner ads New Bahama botnet evades search engines, fuels click fraud Network Protocols and Security Expert calls SSL protocol vulnerability a non issue How to prevent phishing attacks with social engineering tests How SSL-encrypted Web connections are intercepted DNSSEC deployment challenges can be overcome Microsoft issues SMB vulnerability advisory, patch pending Microsoft repairs Windows media, TCP/IP vulnerabilities How to test IPv6 infrastructures DNSSEC deployments gain momentum since Kaminsky DNS bug Kaminsky interview: DNSSEC addresses cross-organizational trust and security How to create secure Windows FTP automation Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary