ISR News: Top 10 Threats from 2008

January 3, 2009 by ADMIN

Share |

Excerpts from InformationWeek.com’s Thomas Claburn

A municipal network held hostage, the hacking of a public official’s private e-mail account, court battles to gag security researchers, and dire warnings about the Internet’s Domain Name System were just a few of the highlights of the IT security landscape in 2008.

10. Transit Hackers 2, Gag Orders 0: In separate but related incidents this year, Massachusetts Bay Transportation Agency and NXP Semiconductors lost court battles to gag security researchers. MBTA wanted to keep three MIT students from talking about security flaws in Boston’s transit fare card system known for its “Charlie Card.” NXP wanted to prevent researchers at Radboud University in the Netherlands from publishing details about security flaws in NXP’s MIFARE Classic card, on which the Oyster card used by the London transit system is based.

9. Sarah Palin’s Rogue E-mail Account Hacked: In a case that highlighted the insecurity of online password recovery schemes, the risk of public officials going rogue and relying on consumer services for official communication, and the deductive power of the crowd, Alaska Gov. Sarah Palin saw the contents of her Yahoo (NSDQ: YHOO) Mail account published all over the Web.

8. Involuntary Data Sharing: As of Nov. 25, 2008, the Identity Theft Resource reported 585 data breaches that exposed over 33 million records. In all of 2007, the ITRC reported 446 data breaches. It’s not clear how much of this 31% rise should be attributed to increased reporting of incidents, but just about every security firm reports that online crime is surging. There’s more malware out there than ever and it’s designed for data theft.

7. I Locked My Network In San Francisco: In July, San Francisco network administrator Terry Childs, fearing he might be laid off, took the city’s network hostage. He changed the administrative passwords on the network’s switches and routers and then refused to divulge them. He was arrested and for days withheld the network passwords, until Mayor Gavin Newsom intervened. The mayor’s office described it as “a story that seems equal parts spy novel and potential municipal fiasco.”

6. CAPTCHA Cracker: In January, “John Wane,” who identified himself as a Russian security researcher, posted software that he claimed can defeat the CAPTCHA system Yahoo uses to prevent automated registration of free Yahoo Mail accounts. He claimed a success rate of 35%. In February, Websense reported that the CAPTCHAs used by Microsoft Live Hotmail and Google were being defeated by spammers at rates of 30%-35% and 20% respectively.

5. The Internet’s Biggest Security Hole: In February, the Pakistan Telecommunication Authority directed the country’s Internet service providers to begin blocking YouTube for distributing offensive content. In carrying out that order, the country’s ISPs altered Internet routing information and the changed data propagated to PCCW, an ISP based in Hong Kong, and from there across the Internet. As a result, YouTube was briefly inaccessible. After a presentation on BGP vulnerabilities at Defcon in August, Wired News writer Kim Zetter declared BGP “the Internet’s biggest security hole.” She quoted Bellovin as saying, “The good guys have been warning about this for 20 years, and nothing has happened!”

4. Crouching Tiger, Hidden Trojan: In its 2007 Report to Congress, the U.S.-China Economic and Security Review Commission (USCC) called Chinese espionage the top threat to U.S. technology. In 2008, the USCC, said much the same thing: “China is targeting U.S. government and commercial computers for espionage.” Complicating the picture is the fact that many of the factories that make high-tech gear and silicon chips are located in China. Some of the facilities manufacture fake goods for a fraction of the price. As noted in the 2008 USCC report, hundreds of counterfeit routers were discovered in the Department of Defense, raising the possibility that hidden backdoors could allow Chinese spies to steal information or crash systems at will.

3. Hack The Grid: Hacking a Web server is to hacking the power grid as a hand grenade is to an atomic bomb — the impact of the former, while serious, pales in comparison to the impact of the latter. So it was that when, in January, CIA senior analyst Tom Donahue confirmed that online attackers had caused at least one blackout, security professionals and government representatives paid attention.

2. The Always War: In August, while the world had turned its attention to the Beijing Olympics, Georgia and Russia fought a brief war on land and in cyberspace. It was hardly the first network-based attack and it will not be the last. As Bill Woodcock, research director for Packet Clearing House observed in a New York Times article about the virtual conflict, “It costs about 4 cents per machine. You could fund an entire cyberwarfare campaign for the cost of replacing a tank tread, so you would be foolish not to.”

1. The Trouble With The Domain Name System: Dan Kaminsky received plenty of criticism from the security community for hyping a flaw he discovered in the Internet’s Domain Name System. But he didn’t get more than 80 software and hardware vendors together to release a coordinated patch in July based on exaggerations and grandstanding. The vulnerability he discovered is serious and remains an issue for too many servers. Wired’s account of Kaminsky’s disclosure of the flaw to Paul Vixie, creator of the popular Internet name server software BIND, is telling: After Kaminsky explained his findings, Vixie said, “The first thing I want to say to you is never, ever repeat what you just told me over your cell phone.”