Sophos Security Threat Report 2011


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sophos Security Threat Report 2011

  1. 1. Security threat report 2011 cute and furry? or ruthless and deadly?
  2. 2. Sophos securitythreat report 20112 Sophos security threat report 2011
  3. 3. We will remember 2010 as a year in which our interactionwith technology—and with each other—evolved becauseof the widespread adoption of social media and the use ofinnovative mobile computing devices.We are dependent on smart devices—just ask anyone whohas lost their iPhone or BlackBerry. And whether you’re usinga mobile device or a laptop or desktop computer, you’re likelyto use social networks more than ever. This new technologychanges the way we communicate with our friends,colleagues and customers. This not only revolutionizes theway we live our lives, but also blurs the lines that define theway we run our businesses and use and share information.Today, users are the content. Driving the growth, and atthe same time being driven by it, the explosion in mobilecomputing is expanding the impact of the social web. And,the way that content is shared and accessed is now the coreof a new global culture, affecting and combining the spheresof personal and business life.Sophos security threat report 2011 1
  4. 4. Of course, this evolution of technology By preying onis closely tracked by the “bad guys” our curiosity,willing to exploit weaknesses in our cybercriminalstechnologies and in human nature. are able to useCybercriminals prey on our curiosity, and psychologicalperhaps our vulnerability and gullibility, traps to profit fromand use psychological traps to profit unsuspecting usersfrom unsuspecting technology users. of technology.Malware scams and exploits targetingsocial networking websites, applications,devices, and users proliferate. At thesame time, traditional attacks continueto become more sophisticated to targetthe most advanced software, hardwareand websites.2 Sophos security threat report 2011
  5. 5. By the end of 2010, WikiLeaks, a whistle-blowing website,caused a global furor. The site publishes private, secret andclassified media submissions from anonymous news sourcesand news leaks, and led to sustained and sophisticatedtit-for-tat cyber-attacks. This underlines the importance ofdata security and cyber-caution for large-scale business, forgovernment and at the personal level as well.As always, we continue to track—and where possible,thwart—the latest attack techniques and maintainprotection against them. To stay secure in 2011 andbeyond, it’s vital that we understand how threats worked in2010.This report identifies the threats, the way they work,and provides insight into the tools and techniques availableto protect your systems and data.Sophos security threat report 2011 3
  6. 6. Identifying the threats:where to watch95,000—that’s the number of malware pieces analyzed by SophosLabs everyday in 2010, nearly doubling the number of malware pieces we tracked in2009. This accounts for one unique file every 0.9 seconds, 24 hours per day,each day of the year. It’s a clear sign that the malware threat continues to grow atan alarming rate.Today, more than ever before, hackers aren’t just producing malware fornotoriety—they’re producing it for large financial gain. We track these methods ofattack and constantly learn from them so we can block and protect your systems.Here’s a look at the more significant threats of 2010. It’s wise to keep watchingthese threats, as they’re likely to surface again in 2011.4 Sophos security threat report 2011
  7. 7. Fake anti-virus softwareOne of the more persistent threats of the Clearly the scam is successful for those cybercrooksyear was fake anti-virus, also commonly propagating these rogue products; over halfknown as “scareware” or “rogueware.” In this a million fake anti-virus software variants can drain yourwidespread practice, software is inveigled have been encountered. Along with the fear/into a victim’s computer system, closely response trick of the scam itself, numerous bank accountresembling—and in some cases directlyimpersonating—genuine security solutions. methods are used to get malicious software onto victims’ machines. Some are direct or completelyThe user receives a warning that their system methods such as warning pop-ups activated take overis infected with some nasty malware and by visiting malicious or compromisedis forced to pay for a “full” version of the webpages, and other methods span to more your identitysoftware to remove the threat. Of course, generic social engineering techniques usedpaying money to the bad guys doesn’t provide to convince recipients of spammed emails toany protection. In most cases there’s no real open malicious attachments.danger, and in many cases they’re actuallyinstalling additional malware on the system A good first step to combat the fake anti-and taking your credit card information. virus threat is user education, but evenWith this kind of data handed over so freely, informed attempts to fight back are oftencybercrooks can drain your bank account or hindered by unwise activities from legitimatecompletely take over your identity. sites and service providers. For example, a genuine campaign run by U.S. Internet Service Provider, Comcast, warned users of suspected botnet infections. However, this real alert was hard for some to distinguish from a fake anti-virus software alert.Sophos security threat report 2011 5
  8. 8. Attacks using Internet Black hat SEO and SEOmarketing techniques poisoning attacks explainedWhile older approaches such as email To maximize the number of victims, crooks SEO stands for search engineremain a threat, fake anti-virus and other hijack search terms likely to generate a lot of optimization, a standard Internet traffic, such as rapidly breaking news stories marketing technique used by manymalware are largely spread through the legitimate firms to help promoteweb. The search engine is our gateway and popular “trending” searches. In 2010, their Internet presenceto the web, and cybercrooks are skilled topics abused to target searchers included SEO involves careful selection ofat manipulating search results from the natural disasters such as earthquakes and keywords and topics to increaseengines such as Google, Bing and Yahoo! tsunamis, entertainment stories such as the a page’s popularity and rating into lure victims to their malicious pages. Oscars, the love lives of Hollywood stars search engine results, which areThese pages host security risks and browser and royalty, and the tragic stories of victims sorted based on link rankingsexploits just waiting to infect users who are of cyber-bullying. Criminals even hijacked Cybercriminals use SEOdirected to these sites. There’s also the abuse legitimate anti-virus companies’ press techniques to latch onto trendingof legitimate search engine optimization releases as a tactic to get users to click on or popular topics, such as major(SEO) techniques. Legitimate Search Engine poisoned search results. news events or holidaysOptimization (SEO) techniques are regularly Malicious sites reference trendingused as marketing tools, but when SEO is search terms and are optimized toabused by the bad guys, and supplemented pull traffic from search enginesby more devious methods, it’s known as Custom tools are for sale onBlack Hat SEO. underground cybercriminal forums that steal content from legitimate webpages about the subjectWith Black Hat SEO attacks—known as matter, and interlink pages across“SEO poisoning”—search engine results are domains for a higher ranking inpoisoned to drive user traffic to the rogue search enginessite. Google reported that up to 1.3% of Page visitors are subjected totheir search results are infected. So, with malware attacks targeting browserSEO poisoning, you’re directed to a bad page vulnerabilities, scareware scamsthrough a poisoned search. Once a victim and moreis lured to the desired webpage, they’reredirected to these rogue or poisoned sites.On these sites, cybercriminals infect users’machines with malware or push fake goodsand services to users while attempting tosteal personal information.6 Sophos security threat report 2011
  9. 9. What is Social engineering techniquessocialengineering? on social networksSocial engineering is a catch-all By mid-2010, Facebook recorded half a Clickjacking uses the standard arsenal ofterm for psychological tricks used billion active users, making it not only the social engineering techniques to lure newto persuade people to undermine largest social networking site, but also one victims and trick them into clicking on thetheir own online security. This of the most popular destinations on the disguised links, many of which developed acan include opening an emailattachment, clicking a button, web. People use the Internet differently rather dark tone in 2010. Alongside the usualfollowing a link, or filling in a because of social networking. Young people barrage of lures such as humor, compromisingform with sensitive personal are less likely to use email, and more apt to pictures of celebrities and major news andinformation. All sorts of scams, communicate through Facebook, Twitter or entertainment events, we saw a rise inand many methods used to spread other social sites. Unsurprisingly, scammers increasingly bizarre and often gruesomemalware, make use of socialengineering techniques, and target and malware purveyors targeted this massive content. Stories of suicide, car crasheshuman desires and fears—as and committed user base, with diverse and and shark attacks, the allegedly “horrific”well as just plain curiosity—to get steadily growing attacks throughout 2010. effects of a popular drink and over-the-toppast the caution we should all be revenge stories were all clickjacking scams inexercising when online. One of the more common types of attacks 2010. On some days last year, cybercrooks”Trojan Horse” malware is a classic hitting Facebook users is “clickjacking,” also introduced dozens of new scams.example of a social engineering called “UI redressing.” These attacks usetechnique. Taking its name from maliciously created pages where the true Clickjacking attacks not only spread socialthe ancient tale of the hugewooden horse that the Greeks function of a button is concealed beneath networking link-spam, they also regularlyconstructed and left at the gates of an opaque layer showing something entirely carry out other actions such as grantingTroy as a gift, today’s Trojan Horse different. Often sharing or “liking” the content access to valuable personal information andalso works by bypassing security in question sends the attack out to contacts even making purchases. One of the maindefenses. This malware routinely through newsfeeds and status updates, financial motivations behind clickjacking isuses the Trojan Horse scheme by propagating the scam. money earned from survey scams.disguising files as “free” or crackedsoftware, and can include sexvideos or anything other hiddenmeans to get past security. Sophos security threat report 2011 7
  10. 10. How to avoid being The “Survey scam” tricks users into installing an application from a spammed link. To access the application’s alleged (but often non-fooled by social existent) functionality, users must grant access to their personal data. This sends out links to a new stash of contacts; that also must fill inengineering techniques a survey form, which earns the application creators money through affiliate systems. Facebook founders and operators insist that keeping users safe from spam and scams is a top priority, and they use large teams of1. Remember that if something sounds too good to be true, it probably is. security experts to remove suspect applications2. Ask yourself—why would you be singled out for a windfall or other special as soon as they’re detected or pointed out by treatment out of the millions of other Internet users. If you can’t find a users. Yet, the problem continues to grow as good reason, it’s probably a scam. the site’s growing user base makes it an ever3. Don’t believe everything you read. Just because an email or website is richer target for the bad guys. presented attractively doesn’t mean that it’s telling you the truth. The scale of malicious activity on Facebook4. Be patient. Too many users end up the victims of Internet crime because they do not stop to think, but instead act on impulse clicking on a appears to be out of control, and people are “sexy” link or an interesting looking attachment without thinking of the taking notice. A Sophos Poll in June 2010 possible consequences. found that 95% of respondents wanted5. Unless you’re certain of a person’s identity and authority to request such Facebook to do more to prevent “likejacking” information, never provide your personal information or information about attacks, (essentially clickjacking by liking your company/organization. something on Facebook) and urged the site6. Don’t reveal personal and financial information in email. Be wary of impose stricter controls on the plugin. The emails that ask you to follow a link to enter such information. social media site, however, is either unable or unwilling to invest the necessary resources7. If you think an email may not be legitimate, attempt to verify it by contacting the company or organization directly. But don’t use the contact to stamp it out. information provided in the email to make contact, it could be bogus; look up the organization’s contact information yourself.8. Double-check the URLs of websites you visit. Some phishing websites look identical to the actual site, but the URL may be subtly different.9. Be cautious about sending sensitive information over the Internet if you’re not confident about the security of the website.10. Be suspicious of unsolicited phone calls and emails that ask for information about your employees or other information. It could be a scammer calling.8 Sophos security threat report 2011
  11. 11. With furious debate raging every time privacy Social networks Spam, Phishing and Malware reports upand security settings are tweaked on Facebook,it seems that functionality and ease-of-usetriumph over security every time. For example,one of the latest innovations introduced isthe automatic tagging of photos with theidentities of those pictured. For individualswho like to keep their personal details andactivities private, this could easily be seen asan intrusion. And, even more disturbing is thatautomatic tagging could easily act as anothergateway for malicious activity.Spamming on social networks rose further in2010, with 67% of people surveyed receivingspam messages, up from 57% at the end of2009 and just 33% in mid-2009. Phishingand malware incidents were also rife, with43% of users spotting phishing attempts and40% receiving malware, plus it’s likely thatothers are unknowing victims. This continues to Source: Sophos Survey December 2010cause headaches for businesses, with 59% ofbusinesses worried that employee behavior on Do you think your employee’s behavior on social networking sites could endanger security at your company?social sites could endanger company security.Fifty-seven percent of businesses thinkthat employees may be sharing too muchinformation online. However, this isn’treflected in corporate policies. More than No 41%half of the companies surveyed imposed no Yes 59%limitations on accessing Facebook, Twitter andLinkedIn—and less than a quarter of firmscompletely block these sites. No 41% Yes 59% Source: Sophos Survey December 2010Sophos security threat report 2011 9
  12. 12. SpamAs spam expands into other areas online,traditional email spam still remains a With the convergence of spam and malware, a growing proportion of spam messages 36 millionsignificant problem, especially in business. are moving away from these more direct AmericansWorkers still need to keep their inboxes clear scams. Sending out malicious attachmentsof junk, and advanced mail filtering systems continues to be widely practiced, but even reportare a necessity in any business hoping to more prevalent is the mailing of links touse email efficiently. poisoned webpages. Operating in the same purchasingSpam generally relies on social engineering manner as any other scam, victims are tricked into clicking a link in a mail and then drugs fromto lure its victims, using all the tricks led to a site that attacks their system with unlicensedincluding hijacking breaking news stories, exploits or which attempts to implant fakeand playing on human fears and desires. anti-virus software. 2010 also saw a surge online sellersOne of the biggest email scams is selling in HTML attachments that directly pointpharmaceuticals from offshore services. to malicious web content without directlyThese emails promise to get around local visiting the dangerous sites.drug control measures and 36 millionAmericans report purchasing drugs fromonline sellers. If these pharmacies really doexist and actually ship something to theircustomers—rather than simply taking themoney and disappearing—purchasers put themselves at great risk,with the questionable safety of these drugs.Online shoppers also open themselves upto further scams, such as approaches fromfake FDA agents threatening legal action.10 Sophos security threat report 2011
  13. 13. Spammers are also using more focused Dirty dozen spam-relaying countriesemail scams, known as “spearphishing,” United States 16.37%which sharpen the bait on their hooks India 7.32%to lure a specific target. Spearphishing Brazil 5.83%notably targeted webmail services this United Kingdom 4.32%year; businesses and institutions received France 4.04%warnings about problems with webmail S Korea 3.8%services that turned out to lead to phishing Germany 3.44%pages. Once compromised, webmail Russia 3.23%accounts can become fertile ground for Italy 3.14%disclosing personal data, identity theft and Vietnam 2.97%corporate espionage. Romania 2.35% Spain 2.14% Other 22.30% Source: SophosLabs Spam by continent Europe 32.83% Asia 31.51% North America 20.1% South America 12.08% Africa 2.39% Oceania 1.1% Source: SophosLabsSophos security threat report 2011 11
  14. 14. StuxnetMalware goes industrial-strengthOne of the more widely-covered malware stories of theyear concerned the “Stuxnet” worm. Stuxnet appearedto target highly sensitive SCADA systems, which monitorand control industrial, infrastructure or facility-basedprocesses, and was remarkable for the sophistication ofthe code and the amount of work involved in its creation.Some of Iran’s sensitive nuclear program computers werereportedly affected by it, which targeted programmablelogic controllers, or PLCs. When Stuxnet found a targetedPLC, it injected its own code into it, concealed itself andthe alterations it made; Stuxnet caused the computersystem to misdirect the controlled process.A report issued by the Congressional Research Service(CRS) claims that Stuxnet could hit the U.S. as well,hampering both the government’s capability and thesociety’s proficiency to protect the country. It states that asuccessful attack on the U.S. using latest variants of theStuxnet weapon, can damage the country’s infrastructureincluding, water, electricity and transportation.Enormous hype surrounded the discovery of the Stuxnetworm. The so-called military-grade malware may havebeen an advanced threat, showing a number of flaws inmany layers of security processes, but we will rememberthe Stuxnet worm more for its media impact than itseffect on global politics or industry.12 Sophos security threat report 2011
  15. 15. What putsyou at risk?Malware attacks can strike at anytime and from anywhere. Weak passwords,mobile devices and social networks, everyday software, removable media,operating systems and web all pose risk. We’ll cover each of these access pointsin this section, so you know what puts your people and your devices at risk—andhow to thwart future exploits.Sophos security threat report 2011 13
  16. 16. PasswordsDespite the increasing sophistication and availability of alternatives, simplepasswords remain the most common form of user authentication. Many onlinesites and services continue to rely on passwords alone to prove that the personinteracting with them is who they claim to be. Weaknesses in this approachrepresent a serious hole in security.14 Sophos security threat report 2011
  17. 17. Data-harvesting campaigns routinely stealpasswords using malware or illegal technology To prevent hackers from compromising your accounts, passwords need to be as long Far too manylike keyloggers and screenscrapers that and complex as possible. They should use people usemonitor a computer user’s activity. They’re multiple character sets (letters, numbers andalso occasionally leaked by poorly secured symbols) and avoid common words and simple andwebsites. The biggest such incident in 2010affected over a million users of several popular phrases. You shouldn’t repeat passwords from one site to another, and you should change easily-guessedsites operated by the Gawker Media group, your passwords regularly, especially for highly passwordswhile Mozilla’s leak of 44,000 sets of logins sensitive logins such as online banking. Infrom its add-ons system seems to have only business, hardware-based security methods, like “123456,”affected inactive accounts. Lost and stolen such as tokens providing one-time passwords,logins can be highly embarrassing—as can help provide a much higher level of “password”experienced in 2010 by the usual roster ofcelebrities—but they can also be much more security. Banks and other providers of high- risk online services are slowly beginning to and “qwerty”harmful when used to steal money or harvest implement this type of technology.sensitive business data.The risk from phishing and spyware is by nomeans insignificant, but it is dwarfed by thedanger people impose on themselves by failingto exercise proper password caution. Far toomany people use simple and easily-guessedpasswords like “123456,” “password” and“qwerty” as top picks from the Gawker leak.People also tend to use the same password formultiple sites, and change them rarely if ever.Sophos security threat report 2011 15
  18. 18. Mobile devices andsmartphonesAccording to Gartner analysts, one in six people will have access to a high-techmobile device by the end of 2010. In the last few years, we’ve witnessed aradical change in the way we access and use the Internet. The rapid upswingin sophistication of mobile technology resulted in a swift change in the way weprovide mobile content and interact with it. However, this change brings withit a wealth of new problems for security. In our new, always-connected age,maintaining the integrity and privacy of networks, business data and personalinformation is increasingly important and difficult.16 Sophos security threat report 2011
  19. 19. iPhoneApple’s iPhone kick-started the latest wave Early 2010 also discovered potential issuesof touch-screen smartphones, setting the with encryption. Apple stepped up efforts tostandard for both design and functionality. keep up with newly emerging vulnerabilitiesThe only thing that matched the level of in their operating system and software. Theyanticipation prior to the summer 2010 released an upgrade to the core iOS coveringrelease of the fourth generation of iPhones some 65 vulnerabilities noted in previouswas the extent of spammers’ exploitation of versions, with a further batch of fixes issuedthe news. A wave of spam messages offering just a few months phones, just hours before Steve Jobs’official public unveiling, shadowed the actual The majority of security issues continuerelease of the new iPhone. to focus on jailbroken devices, where the mobile security settings are unlocked to getWe’ve seen gradual improvements on more functionality. The JailbreakMe.comthe level of security on iPhones since website made iPhone jailbreaking easier asits first release. Many companies that it exploited security vulnerability in the wayonce considered iPhones unsuitable for the iPhone’s version of the Safari browserbusiness use are now changing their minds. processed PDF documents to unlock theNevertheless, active threats continue to phones with minimal user effort. Appleloom. Despite no major outbreaks seen last released a patch a week or so later, but usersyear, early in 2010 hackers released the continue to jailbreak their devices in droves,source code for potential iPhone spyware to tempted by the possibility of installingthe Internet (this also affected BlackBerrys). applications not approved by the company.They followed this with the demonstration However, by doing this, users circumvent theof a proof-of-concept botnet made up of iPhone’s principal security measure.iPhones and Android devices; the trickpersuaded close to 8,000 users to joinbefore researchers unveiled it.Sophos security threat report 2011 17
  20. 20. By the end of the year, a computer consultant iPhone risks can be mitigated if you exercisedeveloped an optional added layer of security caution. When iPhones are plugged in tofor jailbroken phones, providing Address home or company computers or are set upSpace Layout Randomization. However, on unapproved wireless networks to provideno method of securing phones will provide phone connectivity, threats are transferreda complete protective arsenal, as hackers from the iPhone to more vulnerable systemscontinue to develop ways to subvert devices. and networks. You can use a blend of policiesThe sheer dominance of Apple’s devices in and technologies to keep your network andthe smartphone market, and the diverse range machines safe. “Acceptable use” policies canof uses they can be put to, also make iPhones attempt to control what users plug into homeprime target for mobile cybercriminals. or company devices together with quality anti- malware at the desktop level and solid deviceJailbreaking is a bad idea, as it undermines control network-wide.Apple’s inherent security model and opensthe user to more risk from social engineeringtricks. Even with fully secured phones, usersneed to exercise normal precautions againstscams, and keep an eye out for the usualtricks and lures.18 Sophos security threat report 2011
  21. 21. AndroidGoogle’s Android tried to keep pace with Some components are built-in parts of thethe iPhone in terms of functionality, and operating system, and therefore require fullas devices diversify, the Android user base OS upgrades to patch vulnerabilities; thiscontinues to grow. In early in 2010, Google causes issues for some older devices thatfound and removed banking malware from can’t run newer editions of the platform. Thethe site when a wallpaper application openness of the Linux-based platform makesgathered information on over 1 million it possible to access and tinker with low-levelAndroid users. Researchers at the BBC put components, but also attracts more researchtogether their own smartphone spyware with into possible flaws and how they might beease and researchers spotted a basic SMS exploited for profit.Trojan in Russia, although it didn’t make itsway onto the Android market. All in all, Android phones represent a considerable exposure point, but again oneThe more open nature of the Android app that relies heavily on social engineering tomarket and the design ethos of the operating lure users into installing rogue or malicioussystem make the Android more exposed applications that give the bad guys accessto attack than the locked-down iPhone. to their phones. Keeping alert and well-The Android’s ability to run Flash means informed on the latest scams remains one ofupdates to Adobe applications are required. the most important aspects of staying secure.Sophos security threat report 2011 19
  22. 22. Windows BlackBerryPhone 7We saw the release of Microsoft’s latest RIM’s BlackBerry is still the device ofmobile platform, Windows Phone 7, in choice in corporate environments, if muchmany regions in late 2010. The platform’s less popular for personal purposes. Theclear advantages for interaction with existing BlackBerry security-built-in model is fairlybusiness software such as Exchange, make successful so far, although potential spywareit likely that Windows Phone 7 will be a applications have been introduced. Mostparticularly strong player in the business new developments—if anything—weakenmarket, which is currently dominated by that security model, with several nationsRIM’s BlackBerry. The need for flexibility pressuring RIM to slacken their policy ofand cross-hardware support makes it transporting all data through their centraldifficult to implement Apple-style lockdown servers in strongly encrypted form, preventingand Microsoft’s reputation for favoring government snooping on traffic. Onlyfunctionality over security does not bode well time will tell if the security model will befor security on the devices. diluted or compromised by the discovery of vulnerabilities, and users should avoid placing too much trust in these devices simply because today’s security model is effective.20 Sophos security threat report 2011
  23. 23. Other mobileplatformsWith Apple, Google, Microsoft and RIM Meanwhile, despite losing market share todominating the headlines in the next- more advanced models, mobile giant Nokia’sgeneration smartphone market, other major relatively humble Symbian operating systemplayers are working hard to catch up. The continues to hold a massive share of thePalm Pre is keeping up with demands for smartphone market. We continue to see abroader functionality, and finding the same notable quantity of real working malware onproblems maintaining security. A flaw exposed the Symbian operating system due to thethis year granted cybercrooks a backdoor into combination of a large pool of potential victimsPre systems via a maliciously-crafted mail and a relatively insecure operating model.message or webpage. Fortunately, there are quality security solutions that can protect against these threats, and it seems likely that as newer and more sophisticated devices become more widespread, these older and less secure platforms will slowly die out.Sophos security threat report 2011 21
  24. 24. Social networks22 Sophos security threat report 2011
  25. 25. ApplicationsFacebook, by far the largest social Another option would be to give those users Should Facebook follow Apple’s example and have a “walled garden”networking system and the most targeted by with security concerns the option to secure their verifying all apps?cybercriminals, has a major problem in the own page, allowing only vetted applications toform of its app system. Any user can create run. This second approach would only protectan application, with a wide range of powers the more aware and cautious of users, whoto interact with data stored on user pages may be less likely to fall for the scammers’and cross-site messaging systems, and these social engineering tricks anyway. It wouldn’tapplications, like survey scams, can then be do much to reduce the spam flooding frominstalled and run on any users’ page. less secure users, and a full-spectrum control system is preferable. Of course, even officialTo combat this serious problem, a “walled vetted and approved applications can’t begarden” approach may be more suitable. entirely trusted, with the occasional slipThis refers to a closed or exclusive set of allowing applications that harvest user data toinformation services provided for users, make it onto the verified lists. Yes it would be better for security 95.51%in contrast to allowing open access toapplications and content. This is the way the No there shouldn’t beApple App Store operates, with applications restrictions on what apps are written 4.49%requiring official approval before they can beuploaded to the site and shared with other Source: Sophos Poll October 2010users. It has proven effective in protectingusers from maliciously crafted applications.Facebook users responding to a (legitimate)survey also approve of this approach.Sophos security threat report 2011 23
  26. 26. Privacy settingsIn addition to the application problem, Facebook and other social network Do you think you will quit Facebook over privacy concerns?Facebook comes under regular criticism for operators would be well advised to imposeits provision, implementation and explanation a comprehensive “opt-in” system for all userof user privacy features. Directions for setting content. This would make it clear exactlyprivacy preferences are vague and unclear— what will be visible to whom and force users Possibif and when they’re provided. Plus, once to make an explicit choice of how open to Highluploaded, information and content may be make their information. Such an approach I alreadifficult or impossible to remove. would drastically improve the security of potentially sensitive information. And, No 12 doing it proactively, rather than waiting for I don’ legislation to force the issue, would engender increased trust in the safety of the system and respect for its operators. Possibly 30% Highly likely to 30% I already have 16% No 12% I don’t think so 12% Source: Sophos Poll May 201024 Sophos security threat report 2011
  27. 27. Insecure infrastructuresA cross-site scripting (XSS) vulnerability in The issue only affected certain browsers, andthe Twitter website also put users at risk in Twitter moved quickly to protect their users.2010. This vulnerability allowed links to The weakness did not affect most usersbe posted with embedded JavaScript code accessing the system through third-party,known as “onMouseOver.” It displayed pop- but the incident highlights the need for closeups and third-party sites when a user merely attention to possible vulnerabilities whenhovered over a link without even clicking on it. building a web service for a mass user base.Hackers exploited this vulnerability, in manycases simply for pranks, but also with moremalicious intent.Sophos security threat report 2011 25
  28. 28. SoftwareWe all require software to help us in our daily work and personalcommunications. Software is just as likely to contain insecure codeand vulnerabilities that allow malware to spread.26 Sophos security threat report 2011
  29. 29. Cybercriminals tend to target Microsoft, Amid all this activity, and increasing callsbecause its Office and Internet Explorer for action such as disabling JavaScript bysolutions are ubiquitous. Many users view this default, Adobe showed signs of movingsoftware as an integral part of the Windows towards better security. In 2010 they addedplatform, rather than separate software that automatic updating capabilities, and will add,may need a separate regime of updating and “sandboxing” in new versions of their Readerpatching. Lately, cybercrooks targeted Adobe solutions. The companies hope that this effortto enable malware distribution, as its PDF will isolate malicious scripts from the localReader and Flash player are also widely, if not system. We’ll know their success with time.universally, installed. Other popular Adobe packages such asResearchers have noted problems with Shockwave and Photoshop also neededAdobe PDF documents for some years to address security concerns in 2010 andnow, since the ability to run active required patching. Java, produced by Sunscripts is enabled by default in Adobe’s Microsystems, and now part of Oracle, alsoReader software. In 2010, PDF exploits drew a lot of attention from malware writersbecame ever more widespread, and new due to its wide installed base, with an increasevulnerabilities in Reader emerged regularly. in exploits included in malware observed.Maliciously-crafted PDFs are placed onwebsites or mailed out in spam runs, hoping In many cases, malware exploiting thesethat they will be opened in vulnerable Reader vulnerabilities led to fake anti-virus softwaresoftware and their payloads will be given free scams, but cybercriminals also used PDF attacksrein to infect systems. to link to more complex chains of malware infestations such as the Sality virus family.With more and more websites using Flashto display dynamic imagery and more usersinstalling the required player software (itselfa common trick to get Trojans installed),Flash problems are also becoming morewidespread. New zero-day exploits andcritical patches for Adobe software becameroutine in 2010 with a series of advisoriesand patches issued throughout the year. PDF exploits became ever more widespread, and new vulnerabilities in Reader emerged regularlySophos security threat report 2011 27
  30. 30. Removable mediaThough we’d like to think removable media, such as flash drives, network cablesand Wi-Fi connections have replaced discs, they’re still used and remain asignificant exposure point.28 Sophos security threat report 2011
  31. 31. USB flash drivesThe USB flash drive is now the method Targeted attacks also frequently use this threat,of choice for easy sharing of files between notably the social engineering trick of droppingpeople in the same physical location. Fast, infected sticks in company parking lots, hopingcapacious, robust and cheap, they’re in that curious employees will pick them up andwidespread use in just about every sphere of insert them into company systems, breachingcomputing. And of course, they’ve become the corporate network boundary. Flash drivesa prime target for malware authors. Modern are also commonly given away as freebiesmalware—including high profile examples at trade shows, a practice which makes forsuch as Conficker and Stuxnet—exploit USB major embarrassment if inadequate securitydrives to automatically run when inserted into procedures are carried out. IBM learneda target computer. Stuxnet took it one step this this year when the complimentary USBfurther and exploited an unpatched security drives it handed out at the AusCERT securityvulnerability to bypass even the need for conference in Queensland, Australia were“AutoPlay” to be enabled. infected by not one, but two pieces of malware.Sophos security threat report 2011 29
  32. 32. CDs/DVDs Other plug- and-play devicesWhile permanent media such as CDs and When considering USB drives and CD orDVDs don’t provide as much opportunity DVDs as means of moving data around, it’sfor infection by malware authors, they can easy to discount the range of other devicesstill transmit malware—whether explicitly with similar properties. Camera memoryinfected or accidentally when copying files sticks, GPS devices and even smartphonesonto the disks. all contain flash-based storage, which is fundamentally the same as a standard thumbThe media is most risky as a data loss drive. These plug-and-play devices are justformat. It’s easy for disgruntled employees as capable of containing malware and theto download valuable data to CDs and associated AutoPlay and other exploits, andDVDs and walk out the door, as the U.S. are thus likely to fall victim to malware as well.government learned this year when datasneaked out in this way sparked the Plug-and-play devices are a subtle way ofongoing WikiLeaks saga. sneaking contraband data past normal security checks, and are less likely to be analyzed than more recognizable forms of moving data around. Therefore, they need to be subject to the same access control and data loss prevention procedures as flash drives. When factories have poor quality control procedures, removable devices can come “pre-infected” with malware. A machine used to build, install or test hardware can become infected and passes on the infection to each device it comes in contact with; this can be highly embarrassing to product vendors and result in costly recalls.30 Sophos security threat report 2011
  33. 33. Operating systemsSophos security threat report 2011 31
  34. 34. Windows 7Overall, Windows 7 provides a secure Usage statistics show a steady uptake of the Malwareenvironment, but there’s still room for new OS; it is rapidly catching up with Vistaimprovement. When the first few versions and looking certain to overtake it as more creators areof Windows XP came out, there were much new machines come pre-installed with okmore serious issues than with Windows 7 and as older operating systems, including now starting—and many were fixed with Service Pack 2.Microsoft plans to release Windows 7 the no-longer-supported XP SP2, fade away. Malware creators are now starting to hone to hone theirservice pack 1 in 2011. However, numerous their attacks to specifically-target Windows attacks tosecurity fixes have been already released as 7, particularly the ubiquitous rogue securitypart of the Patch Tuesday program. solution scams, and this trend will continue specifically- as the platform and its users become an ever larger target. target Windows 732 Sophos security threat report 2011
  35. 35. MacMany people consider Apple’s Mac OS X For example, 2010 saw a new version of theplatform to be more secure than Windows. OSX/Pinhead Trojan, which poses as a copySome believe that its UNIX-based approach of the iPhoto application distributed with allto privileges and permissions grant it a firmer new Macs. If the user is tricked into installingsecurity footing than Windows, and the more the software, it opens up a backdoor allowinglimited range of hardware support required crooks full access to the compromisedmeans less code and therefore less exposure system. Later in the year, the Boonana Trojanto code vulnerabilities. targeted Mac, Windows and even Linux users. It spread through spammed links on FacebookSince fewer Macs are used in corporate and used standard social engineering tricks toenvironments, the Mac is a smaller target lure victims into installing a Java application,upon which cybercriminals can focus. As a which downloads and runs a further torrent ofresult, the Mac malware problem is a tiny malicious applications.fraction of that seen on the Windows platform.Nevertheless, malware continues to emerge Apple is working harder to protect userson a regular basis. And even without as many against “Trojanized” software through theopportunities to infect and spread across upcoming with Mac App Store, due to goplatforms, Mac users are still vulnerable to live in early 2011. Operating along similarthe scams and tricks used to persuade and lines to the iOS App Store which providespressure them into installing suspect software, applications for iPods, iPads and iPhones,to open up their systems to remote access, or it’s set to become a central repository andto hand over their sensitive data. sales system for all Mac software, introducing a level of security checks to ensure that software behaves as desired. The impact of this will depend on how widely Mac users adopt it, but it’s unlikely to provide the same level of safety and control that the iPhone enjoys. Users will almost certainly still be able to access and install software from anywhere else they may find it, and this leaves them open to the full range of social engineering tricks and vulnerabilities.Sophos security threat report 2011 33
  36. 36. With malware writers taking advantage of anypotential security hole, it’s just as important Computer users often overlook the risk of transferring infections from one platform Mac malwarefor Mac users to keep up to date with patches to another, but this problem can present a problem is aas anyone else. The fact that these patches significant penetration point both at homeexist at all may be seen as proof that the and in business. All systems need to be kept tiny fractionplatform is far from air-tight. In a singlerelease in November 2010, Apple patched secure and running quality security software, regardless of whether or not they themselves of that seen100 different vulnerabilities. are considered susceptible to infection. In on Windows. businesses with multiple platforms workingWith many Mac users paying little heed to together it’s especially vital to have strong Nevertheless,security—due to their sense of invulnerability—the Mac community was well served in policies regarding securing of all platforms and enforcement systems to ensure compliance. malware2010 by the release of a free-for-personal-use continues toanti-virus solution, along the lines of severalsimilar offerings available to Windows users. emerge on aWithin days of its release, the new solutionspotted a range of infections, and has also regular basisshown that while many Macs may not oftenbe actively infected with malware, they canstill be carriers for Windows malware justwaiting to cross-propagate.34 Sophos security threat report 2011
  37. 37. Web serversecurity threatsDespite the continuing presence of threats via movable hardware, the web isby far the biggest opportunity for malware infection. It transmits emails bearingmalicious links and attachments, websites carrying exploits targeting browsersand other software, drive-by downloads, phishing scams, questionable storefrontoperations, and all the other malice of the cyber world.Sophos security threat report 2011 35
  38. 38. MalvertisingOne of the growing issues of the past year is In 2010, malvertising appeared on the the websites“malvertising”—the implantation of malicious websites of Minnesota’s largest newspaperadvertisements onto websites. In many cases, the Star Tribune, the popular online game themselvesthe websites are entirely innocent and unawareof the threat they’re posing to their visitors. Farm Town and even in the sponsored links accompanying Google search results. In all of are entirelyMalware advertising is slipped into feeds from these cases, the malvertising led to fake anti- innocent andexternal advertisement resellers and appears virus software scams aiming to trick victimsalongside the standard set of ads. The infiltration into paying to clean up non-existent malware unaware of themay exploit flaws in ad-server software, or may infestations. Scammers often presentedbe accomplished by concealing the malicious these malicious advertisements through links threat they’reactivities of ads in order to get them past checksrun by ad suppliers. designed to look like legitimate ad sources. posing to their visitors.36 Sophos security threat report 2011
  39. 39. Compromisedlegitimate websitesCompromised legitimate websites can Twitter feeds also became an increasingly Top ten countries hosting malwareintroduce malware and scams. We see popular target for malicious takeover in 2010.30,000 new malicious URLs every day. That’s As Twitter becomes an ever more prevalent United States 39.39%approximately one every two to three seconds. means of spreading information—personal, France 10.00% Russia 8.72%And, we’ve found that more than 70% of these commercial and official—popular feeds are a Germany 5.87%are legitimate websites that have been hacked simple way of getting access to large crowds of China 5.04%or compromised. Criminals gain access to the people. Leading feeds are used to tweet links to United Kingdom 2.68%data on a legitimate site and subvert it to their scam websites. In one particularly malevolent Poland 2.43%own ends. They achieve this by exploiting case, hackers used Twitter to spread hoax Canada 2.03%vulnerabilities in the software that power the emergency warning messages from an official Ukraine 1.97%sites or by stealing access credentials from disaster advisory account in Indonesia. Hungary 1.84% other 20.03%malware-infected machines. Celebrity Twitter feeds are a particularly Source: SophosLabsThe uses for compromised sites are diverse. juicy target thanks to their predictably largeIn 2010, cybercriminals used compromised followings. In 2010, prominent TV presenters,sites for standard drive-by downloads of politicians, rock stars and rappers all hadmalware, including “ransomware,” which their Twitter accounts hacked by spammers.encrypts important files and demands In a similar vein, hijacked email accountspayment for the access codes. Another make fertile ground for spreading spamexample is to demonstrate weaknesses in and scams. Email that seems to be comingsupposedly secure sites holding personally from a trusted source is more likely to beidentifiable information. Compromised sites opened; and as a result links are clicked oninclude the European site of popular tech blog or attachments opened. Breaches in accountTechCrunch, news outlets like the Jerusalem security can have serious consequences.Post and local government websites like that U.S. Vice Presidential candidate Sarahof the U.K.’s Somerset County Council. The Palin commented in a book published incrooks even hit major hosting providers, and late 2009 that a hacker breaking into heronce compromised they can cause all sites personal Yahoo! account “created paralysis”they host to serve up malware. in her campaign camp because it cut off easy communication with her colleagues in Alaska.Sophos security threat report 2011 37
  40. 40. Email spam Zero-Day threats: what are they, and how to avoid them?Email spam remains a significant path for In a nutshell, “zero-day” threats In many cases, vulnerabilitiesthreats, simply because the vast majority are attacks that make use of are discovered by honest securityof computer users still use this medium. vulnerabilities, which are not yet researchers and pointed out to theSpammed emails containing attachments patched. This usually means that software vendors to fix. In someremain a popular tactic for cybercriminals, malware writers or vulnerability cases, if a fix isn’t timely, the issueoften taking advantage of vulnerabilities in researchers find a flaw in some may be made public to encourageOffice and PDF Reader software to launch piece of software, which can be more prompt patching. In othermalicious code from within innocent-looking used to bypass some security cases, criminals may comedocument formats. Emails containing links to measure and get malicious code to across problems, and exploitsmalicious sites continue to increase as a major run. For example, bugs in browsers may be sold between gangs ofmeans of leading new victims to attack sites, can mean that rather than simply cybercrooks on the black market.operating in parallel with SEO-based lures. displaying a webpage as they Working exploits for genuine should, carefully crafted webpages and unpublished zero-days are can cause malicious code to particularly valuable to attackers.Top malware spreading via email attachment be executed on your computer. Similarly, bugs in PDF Reader Tools are available to protectMal/BredoZp 29.69% software can mean that code can against zero-day exploits. One Troj/JSRedir 10.83% launch from inside PDFs. such tool is a buffer overflow Troj/Invo 7.97% prevention system, which should Mal/EncPk 7.96% While the name zero-day implies be included with quality multi- Mal/FakeAV 6.33% a single day, the window of layer security solutions. To JS/WndRed 4.55% opportunity for a zero-day threat keep the zero-day window as Troj/Agent 4.32% runs from the moment the small as possible, you should Troj/Bredo 4.25% vulnerability is first discovered to patch promptly and apply all Troj/Iframe 2.15% the time the software developers recommended workarounds. In Troj/Zbot 1.66% provide a patch or update to cover many cases, flaws will only affect Troj/Mdrop 1.63% the hole. From a user’s point software with certain settings Mal/Behav 1.55% of view, it runs until the patch enabled or disabled, and a Mal/Oficla1.31% is fully applied; until then, the secure approach to configuring all Troj/ZipCard 1.23% vulnerability remains open and the software should be a core part of Other 62.52% threat can compromise the users’ any corporate security strategy.Source: SophosLabs system. When vendors are slow to patch flaws, third parties may develop patches or workarounds to mitigate the threat.38 Sophos security threat report 2011
  41. 41. Tablet evolution Apple’s much-vaunted iPad introduces a new attractive way to use a computing device. Although early models are little more than an enlarged iPod touch, the spectacular popularity of the iPad indicates that the time has finally come for the tablet format to compete with the Netbook and the smartphone for mobile computing market share. Similar to the iPhone, cybercriminals hijacked the huge interest in the new devices, with offers of free iPads flooding email inboxes and social networks. Of course, almost all of them lead to phishing, malware, or scams. Interestingly, Apple has resolutely refused to allow its mobile devices to run Flash applications. Perhaps, this is in part due to the upturn in security problems in Adobe software, but officially the reason is merely to avoid inefficient and power-draining technologies. News emerged in the summer of 2010 that “frashing,” a technique for persuading unlocked iPhones to run Flash, is possible for use on iPads too. As this is likely to encourage more owners of the devices to unlock and hack their machines to enable access to a wider range of content, it enables more threats targeting those who chose to bypass some of the lockdown security features built into the devices. Many hardware manufacturers responded to the iPad launch with competing products; among the first to market were tablets running the Linux-based Android operating system, such as Samsung’s Galaxy Tab. Windows versions are also due soon, including the EEE Pad from Asus, with expected availability in early 2011. Full-scale computing power together with always-on, anywhere-anyplace-anytime connectivity and a more casual attitude towards computing, brings with it potential dangers. The potential for deception and the sloppiness of a finger-powered control system (versus a standard keyboard and mouse) are additional concerns. We expect more cybercriminals to target iPad users in the upcoming year.Sophos security threat report 2011 39
  42. 42. Protecting yourselffrom current andfuture threatsToday’s legal system is dealing with cybercrime, but just barely. Your bestdefense should include a combination of common sense decisions andprotection software. Businesses and end users should employ this type ofmulti-layered approach to avoid becoming the victims of malware.40 Sophos security threat report 2011
  43. 43. Legislation andcriminal justiceIf you measured the Earth’s history in In the second half of 2010, police broke upgeological timeframes, the entire history of another gang of botnet operators, with 19human civilization registers barely more than arrests in the U.K., 60 charged in the U.S.the blink of an eye. Similarly, in legal terms, and further police action in the Ukraine. Thisissues of malware, spam and cybercrime are was all in connection with the notorious Zbotstill considered very new and haven’t been (or Zeus) botnet, thought to be responsible forfully addressed by adequate global legislation. the theft of over $200 million. In late October,Nevertheless, 2010 saw some advances in Dutch police announced the successfulthe arrest and prosecution of cybercriminals, takedown of the Bredolab botnet and policewith promising signs of cooperation and data- in Armenia picked up a man thought to besharing between national and regional police behind the operation.forces. This is a vital step in combating crooksto which national borders represent little more On a smaller scale, the courts sentenced athan something to hide behind. Scottish man to 18 months imprisonment for distribution of data-stealing malware, bothIn something of a bumper year for the tracking for financial gain and, according to the trialdown and punishment of the cybercriminals, judge, to get pleasure from intruding into theMarch saw the creator of the Allaple worm privacy of others. Law officers discoveredsentenced to 2 years and 7 months in that a contract worker at the U.S. financialEstonia, while in July the gang behind the institution Fannie Mae planted malicious“Mariposa” botnet came under investigation scripts in the firm’s systems, designed toand the FBI and police forces in Spain and destroy data at a fixed date in the future inSlovenia arrested the 23-year-old ringleader in order to cause huge damage. The courtsa joint operation. In August, officials arrested sentenced the hacker who hijacked Saraha Japanese malware writer under suspicion of Palin’s email account to over a year in jail,creating malware, which spread through the and the U.S. Secret Service picked up aWinny peer-to-peer system. man who broke into the systems of the Federal Reserve Bank of Cleveland—as well as stealing over 400,000 sets of credit and debit card details from several other banks. In the world of social networking, Facebook announced lawsuits against the operators of the survey scams plaguing its site.Sophos security threat report 2011 41
  44. 44. More arrests were made in the online gamingworld, with two suspects picked up in Japan With DDoS attacks illegal in many regions, those participating in the retaliatory action ‘Anonymous’in relation to theft of login credentials for were open to litigation, and in the Netherlands grouppopular game, Lineage II, using spyware police arrested a 16-year-old boy in relationplanted on victims’ systems. to the campaign. Attacks then turned their launchedThe gaming world was also hit by one of the attention to the Dutch police websites, leading in turn to a second arrest. Another DDoS attacks onmost widely-reported attack techniques of the attack rumored to be related to the story, the serversyear, with a 17-year-old arrest in the U.K. against perennial DDoS targets Spamhaus,under suspicion of involvement in Distributed was found to be unconnected. Amidst all the of severalDenial of Service (DDoS) attacks on serversrunning the ‘Call of Duty’ shoot-em-up game. political posturing, many observers lost sight of a significant chapter in the whole saga, the paymentAnother attacker was sentenced for using original data loss, apparently accomplished processorsuniversity systems to launch DDoS attacks on by copying vast swathes of data to a CDthe websites of right-wing politicians. and walking it out of a building. Given the supposedly sensitive nature of the dataThe major DDoS stories of the year however involved, this should have been made farwere related to the WikiLeaks scandal. After less straightforward a task, with proper datathe release of large amounts of politically- security systems and procedures.sensitive data by the whistleblowing website,and the subsequent decision by severalpayment systems to cease processingdonations to the site’s operators, a hackergroup took it upon themselves to retaliate,without the support of those running the site.The ‘Anonymous’ group launched attacks onthe servers of several payment processorsinvolved, and encouraged others to join inusing publicly-available attack software.42 Sophos security threat report 2011
  45. 45. Measures taken by governmentto combat cyberwarfareHollywood screenwriters continue to show us Later in the year, the emergence of the Do you think it’s acceptable for your country to spy on other countries viathe prospect of cyberwar and cyberterrorism Stuxnet worm hinted at the potential of the Internet by hacking and/oron film. But, are these threats based in reality? malware to attack and subvert exactly the installing malware?Some, including security guru Bruce Schneier, kind of sensitive national infrastructure thesee this as a distant and over-hyped threat. conspiracy theorists have long suggestedYet, 2010 could be the year that saw the first as a prime target. Then, as 2010 drew toreal glimmers of a spark in the bonfire of global a close, the WikiLeaks saga combined data Yes,cybercombat, with three major incidents. loss, political scandal and international, in w orchestrated attacks conducted through the No 3What later became known as “Operation Internet. These attacks focused on financial yesAurora” marked the first days of 2010. This institutions and websites promoting regionalmajor offensive targeted Google, Adobe and governments and institutions, but along withmany other large companies with the apparent the other components in this trio of events,goal of accessing webmail accounts of Chinese they highlight possibilities, which have been Yes, but onlyhuman rights activists. And many believed the hovering over the web for some time. in wartime 40%source to be China. The Chinese government No 37%denied involvement, and many dismissed the yes 23%incident as large-scale corporate espionage, butit sparked a major human rights disagreement Is your country doing enough toand brought responses from many national protect itself from Internet attack bygovernments. The U.S. Secretary of State another nation?issued a statement after a briefing by Googleon the incident, and shortly afterwards theGerman and French governments issuedadvice to avoid using Microsoft’s InternetExplorer browser because it was vulnerable. No 54% I don’t know 40% Yes 6% Source: Sophos Poll August 2010Sophos security threat report 2011 43
  46. 46. Measures takenby businessesCybercrime is encroaching more andmore into the business space. Industrial Increasing amounts of sensitive data is stored, accessed and manipulated in legalespionage, spearphishing of important databases connected to company websites requirementsemployees to breach network boundaries as businesses increasingly interact withand mass theft of customer information their customers through the Internet. As a place greaterare more difficult to detect and have very result, it’s become as easy to access theseserious consequences. At the same time, databases as it is to access the main doors at emphasis onnetwork boundaries are becoming ever moreindistinct and porous as new technologies corporate headquarters. traceability andenable greater access from remote workers Security administrators face a constant battle to complianceand mobile devices. In addition, legal maintain usability, while preventing penetrationrequirements place greater emphasis on from the outside and data loss from within.traceability and compliance with predefined Alongside protecting network boundaries,standards of data hygiene. businesses and website maintainers are under growing pressure to ensure that their web presence provides adequate protection for the users of its web services.44 Sophos security threat report 2011
  47. 47. Social networking sites are particularly Meanwhile, security providers must continueexposed in this area. Users trust these sites to innovate and improve their services andwith vast amounts of often highly sensitive solutions to ensure best possible protectioninformation. The amount of data that can be is available. With the never-ending increaseharvested by cybercriminals is dependent in volumes of malicious code and threat-on both the way sites are designed and run, serving webpages, it’s becoming increasinglyas well as the security underlying the site’s impractical to treat solutions as standalone,software. There’s no need for hackers to independent software. In addition, manybreak into web servers and harvest user data leading developers are extending theirif the users upload useful information for all solutions to the cloud. Although this has itsto see. Many social media sites focus more benefits, it also opens up a full spectrum ofclosely on growing their numbers of users, dangers, which require additional protection.rather than ensuring users are kept safe and Investment in expert systems to rapidly andfully understand their privacy systems. As a accurately spot, analyze and classify newlyresult, many social networking sites are rife emerging threats is a must.with malware, spam and data harvesting.Operators of social networking sites and webresources need to keep their customers safein addition to keeping them happy.Sophos security threat report 2011 45
  48. 48. End user educationA lot of the scams and social engineering There’s still a long way to go. Too many “An ounce oftechniques discussed in this report aren’t people are too willing share anything theynew, and are certainly not unique to the can think of on their social networking prevention iscyberworld. Since the dawn of civilization,con artists, mentalists and tricksters have pages, with no thought of the possible consequences. And many people worth a pounddeceived and exploited innocent victims for unthinkingly click on an email attachment of cure.”profit. It seems inevitable that some people or link because it comes in from a friend orwill fall for convincing stories and plausible colleague’s email address. Ben Franklintones no matter how strongly they’re warnedto be on guard. We need to balance caution and sensible precautions with usability. Users need to beHowever, the speed and reach of scams able to trust that online purchases and otherhas been magnified enormously with the payments will be safe and secure, that theirrise of the Internet, mass email and social banks will look after their money and thatnetworks. Now, a single scammer can try their purchases will reach them. Without thistheir luck with millions of targets at once. trust, we would be afraid to communicateAn email campaign can carry a link to vast or conduct any transaction online. Yet, asnumbers of inboxes, and only a few people Ben Franklin’s old adage says, “An ounce ofneed to be lured into following the links for prevention is worth a pound of cure.”the scammer to profit. By just clicking on alink, a user’s machine can become infected, Businesses and service providers havetheir personal details can be harvested or an opportunity learn from the scams andthey can be led to a dishonest online retailer exploits of the past in order to strengthenseeking to turn a profit from the effort. their defenses and offer the best security and reliability possible.Of course, the speed and reach of the Internetworks both ways. It enables warnings andprotective measures to be disseminatedworldwide at lightning speed too. Educatorsand threat watchers are warning a growingaudience of alert listeners. And, as more peoplebecome aware of the dangers of the web andlearn to keep an eye on the latest scams andthreats, we all steadily become safer.46 Sophos security threat report 2011
  49. 49. What tools help us tostay secure?While education and awareness is the best way Encryption software: Vital in any businessto stay ahead of the bad guys and malware working with sensitive customer data, andattacks, there are also a range of technologies you in many places where internal data might becan employ to help maintain security and privacy. valuable or compromising if lost. Data shouldThey include: be kept in encrypted form whenever possible, particularly during transfer and on portableAnti-virus software: a must-have for just systems or devices. Failsafes and administratorabout any computer system. Detects, blocks overrides are also useful in case of lost passwordsand removes malicious code; should cover or abuse by rogue employees.rootkits, scripts in webpages, exploit attemptsand other malicious activities as well as Patching and vulnerability monitoring: Alltraditional file-based threats. Local detection software needs to be kept up-to-date with thedata best supplemented by expanded online latest security fixes some may offer automaticlookup systems to efficiently protect against the updating, but in corporate environments internallatest emerging threats, and use whitelisting to testing may be needed first. Solutions areminimize serious false positives. available to coordinate and enforce patching policies across a network, and tools can also scanGateway malware and content filters: watch for for vulnerable and out-of-date software.malware being downloaded, at the gateway level.Should be blocking malicious URLs as well as Device and network control: Enforcing rulesfile transfers, again using cloud lookups. Quality on which systems and devices can connectweb filtering solutions will enable enforcement to company networks is a necessity to ensureof corporate browsing policies too. Management network integrity; company networks need to beand reporting systems will help corporate isolated from all potential sources of infection,admins monitor company networks and ensure and should also be protected from methods ofcompliance with policies. data theft.Anti-spam software: another must, especially in Data loss prevention: Sensitive information canbusiness. Filters email to remove spam, phishing be specifically walled in and prevented fromscams, messages with malicious attachments moving off of designated systems where it’sand links to malicious webpages. Must combine needed; this stops malware or rogue employeesstrong detection with vanishingly small false from stealing company or customer information.alarm rates. Should also provide traceability andarchiving to ensure blocked messages can beretrieved in case of problems.Sophos security threat report 2011 47