Welcome New Users; SANSFIRE; Webcast Date Change; Emerging Threats

Published: 2005-06-07
Last Updated: 2005-06-08 03:29:28 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Dear Diary,

Rather than doing one summary at the end of today, I'm going to start the diary early then update it a few times during the day.

Welcome New Users

A bunch of new readers joined us over the past few weeks and I want to thank you for stopping by. The SANS Internet Storm Center depends entirely on volunteer effort to keep it running and in the roughly six years we've been around I can say that the thousands of folks who have helped us are all greatly appreciated! Additionally, we need to express our thanks to for providing the servers, rack space, and connectivity. Whether you are a regular reader or new to the group, if you want to know more about how to participate, the are on our sister site at DShield. We can always use more sensor operators, and if you like trying your hand at incident handling then please sign up for one of our discussion lists. The port pages could also use some additional thoughts and comments if you have any to add.


is next week in Atlanta and many of us will be there. It's not too late to register if you haven't done so. If you are at the conference, please be sure to say hello and don't forget to come listen to Johannes' presentation on Monday night as he tells us all about the magic behind the curtains at the Storm Center. I'll be teaching Security 401 as well as giving a talk on Tuesday morning. Hope to see you there!

Webcast Date Change

The weekly SANS ISC
was scheduled for tomorrow. We have moved it to next week so that it follows the greatly anticipated monthly Microsoft security bulletin release. When we were setting up the webcast dates several months ago we goofed and scheduled June's webcast a week too early. Please join us next week!

Emerging Threats

As many of you know, worms, viruses, web defacements and even botnets are what we might call "last century" threats. What are we going to be facing in the coming years? The SANS ISC is interested in your ideas, so if you have time today drop us a
with your thoughts. Please don't send us a book, just a few lines will do. We'll include the best ones in the diary today.

Here's a few that have arrived:

David says, "Instead of hijacking a system to use the disk space and setup detectable FTP servers, [attackers] may end up harvesting all of the documents from the system in hopes of gaining financial or personal information for identity theft."

John suggests, "As direct electronic invoicing becomes more popular, criminals will try to leverage poor implementations of Web Services to submit fraudulent invoices for payment. Agencies that have done away with support staff necessary for manual invoice processing will pay dearly."

Greg offers, "With the developing trends in botnets and denial of service with them, I'm willing to bet that we'll see more frequent use of ddos for hire and malware distribution by zombie pcs. It also would be a shock to see an adaptive botnet..that can change and adapt to discovery on the fly..shutting down discovered nodes and such."

Steve tells us, "I believe that the real threat that's only beginning to surface is internet extortion. What means by which it will happen is hard to say, but it's an increasing threat. I think we're on the brink of seeing widespread extortion happening where files will be "kidnapped", and a ransom note will be left in their places for the user to follow if they want their precious files back." (note from the HOD - this is already happening!)

Tom thinks that these are possible emerging threats: "VoIP hacks (with social engineering and Caller ID spoofing people will give up a lot of data), Hacker "Mafias" (not just small scale people writing viruses because they can - distributed networks of hackers organizing criminal actions like stealing credit information, etc.), attacks on mobile devices (security just really is not a concern for many mobile companies)."

Alex scares us with, "My thought is that we'll see new types of Malware that are able to correlate personal data about a selected individual that it promiscuously finds on the web. The implications of this ranging from the obvious identity theft to much more sophisticated phishing scams and even password comprimise by building very specific custom dictionaries for attack. A 50k+ botnet is great for DDoS, but it has other uses for its massive computing power and connectivity; namely a huge web spidering and correlational tool for this type of attack."

Damian believes that, "one of the emerging trends could be cryptovirology. I believe it could have a huge impact if a nasty crypto worm is developed and it could exploit some new vulnerabilities. In fact I try not to think about it very often ... otherwise I couldn't sleep."

CE's crystal ball says, "Two things come to mind regarding emerging threats: 1) Infection, or at least increased attempts at infecting, of popular sites (like the recent MSN News Korea story) will increase due to the lure of large amounts of victims who trust well-known sites. 2) False information that is presented in ways that a majority of readers, and possibly many experts, wouldn't doubt. This can be used for fraud, social engineering, etc. It will move beyond phishing email and stock scams into possibly more mainstream mediums."

Gary says he is "concerned at the potential for targeted malware. Whereas today's viruses and worms are fairly indiscriminate, I forsee the emergence of malware that specifically targets a given individual, organization or some other distinctive target."

Christian muses that, "one threat will remain for ever .. that's osi layer 8. There will always be suboptimally trained users, administrators, coders or manager that copy /etc/shadow to webserver root." (note from the HOD - I like to call this the "carbon layer" of the OSI model.)

Matt predicts three major trends in the coming year: "The death spiral of signature-based virus detection ... a major increase in wireless network attacks, particularly man-in-the-middle spoofing/theft ... [and] a concentrated, coordinated effort to improve public understanding of basic security issues by both private and government agencies."

Eric is concerned about "completely 'blended' and adaptive threats funded by money that is coerced/stolen electronically. Threats that morph from one form to another depending on how a system is setup to counteract attacks is a real possibilitiy. With more 'holes' being discovered I think it is wise to believe that the development of adaptive threats with blended capabilities is going to be a huge problem."

Chip has a fatalistic outlook, telling us that, "Aside from 'individual' system administrator and 'real' security consultants, I see no cluefulness at all in the IT world, nor in oversight agencies, none." He goes on to say that, "the folks who have been wishing for a really stable platform such as BSD to host malicious applications on, have been handed a goldmine in the form of the new MacIntel platform."

Phil predicts "a worm that actually exploits a vulnerability for which we haven't had a patch for months or even years. It's been a while..."

Well, this is interesting. Most of today's submissions have been oriented on technologies. This afternoon we've seen quite a shift in the thinking of the evil minds. Here's what the mailbag brought us...

An anonymous person looked into the future connected world and prognosticated, "what about crackers breaking into an automated household and manipulating all sorts of automated devices, like the fridge, locks, dishwashers, coffemakers and so on ... another one could be break-ins to car computers to ground you or worse cause an accident on purpose ... and still another one could be (or maybe already is...) hijacking devices (such as sealing harddisks with passwords and then ask for money to reopen the disk) - you could do this with all sorts of networked equipment ... a completely different approach is identity manipulation: changing information on the web about other people to create a wrong impression about them...."

AJ steps up the heat with, "I think that the next attack could be a mobile virus that spreads between smart mobile phones. At a designated time the payload could have all the mobile phones dial a specified number DDOSing the cellular network and the target phone network."

Jim was thinking out of the box when he wrote, "Funny you haven't mentioned terrorism yet. Why blow up a building when you can destroy a nation's economy?"

Not to be outdone, Rick fired away with, "Nations or groups dedicated to the downfall of any given government could be compiling botnet lists and lists of the most effective malware for a coordinated distributed attack to undermine and collapse economic stability, maybe as part of other physical attacks."

Wayne believes that, "the newer threat will be online extortion. Download a malware, encrypt your important info, and ask for money.."

Mike was maintaining a positive outlook when he wrote, "For years, organizations have been spending a lot of money on poorly-implemented or half-baked security solutions so they can check a box on an audit finding. At the same time, auditors have been providing findings of such poor quality that the information is nearly useless to their customers. I believe some of the recent high-profile identity theft cases will bring this to light, and hopefully improve auditing practices and force the hand of large organizations to *properly* implement security technologies."

Mark is convinced that, "a cyberattack on our electronic infrastructure is in the cards." He thinks it could happen by creating a "Coordinated attack on a predetermined time and date launched from many platforms, including zombified PCs, social engineering attacks, and insiders that were 'planted' for D-Day; [or] Indirect attack from the EMP blast from a nuclear warhead on a missile. Could be launched from offshore somewhere, or even from inside the US, with the materials having been smuggled in and assembled on location; [or] Create a crisis of such proportions (some kind of attack) that the much-increased use of the electronic infrastructure because of everyone trying to contact family, friends, etc., crashes everything." (wow, Mark, you should be a screen writer!)

Several more ideas arrived later in the day. In case you are wondering, I'm putting nearly every submission in the diary since these are pretty good ideas. However, after this update we won't add any more.

Chris thinks that "identity theft is going to become more and more popular. There was a report recently about Social Security Numbers being used to covertly allow illegal immigrants to marry legit citizens, sometimes multiple times, and without the legit citizen even knowing! You can do a lot more to someone with their SSN than with their CC number!"

Ronald's theory is "massive insider access to sensitive data that is sold to criminal elements on the Internet. Someone inside somewhere right now smells the money they can get for information. And they are willing to sell it."

Michael has found that "virus and other malicious code will bypass some 'attachment blocking' through e-mail if the e-mail is digitally signed. So a virus writer could potentially use this vulnerability to bypass AVs. I could also see malicious code being encrypted in SSL on web pages, bypassing content scanning at the gateway or through proxys. Can't scan encrypted traffic..."

Florian asserts, "we will see a large increase of linux "worms" propogating via vulnerable web applications like we saw with phpBB. I think what will make them different will be that they will target multiple vulnerablities in various software packages (i.e. phpBB, awstats, etc). Im guessing they wont be depending on google anymore and do it libwhisker style (maybe a combo of both)."

Mark wouldn't be surprised "to see software deployed to turn [compromised computers] into a malicious distributed processing botnet... Think of an evil SETI@Home working to decrypt private data."

Jeff is "afraid of 'booby-trapped' malware/bots/etc. We have already seen many that attempt to disable or evade detection. What if the next generation 'detects' that you have found it or are attempting to disable it, and reformats your hard drive?"

Jeff (different Jeff) believes that "the attacks of the next century will focus on portable devices using MMS and Bluetooth as silent carriers until they are connected to a PC or wired network."

Vinicius wrote to say that, "I see current threats getting smarter. IRC bots replacing the irc protocol by private encrypted protocols, perhaps compatible with http, running on well known ports such as 80/tcp, 443/tcp, with a much less bloated communication, passing undetected by early warning systems and behavior pattern recognition. And all this being installed via web browsers [with] very recent vulnerabilities."

Finally, it looks like
took a peek at what I wanted to do today. No, I didn't know that he posted his blog yesterday on nearly the same subject. Way to go Bruce!! : )

Marcus H. Sachs

Director, SANS Internet Storm Center

Handler of the Day

0 comment(s)


Diary Archives