Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Feds Wrestle With Security Threats

In Black Hat DC keynote, current and former government officials discuss emerging Internet threats

WASHINGTON -- BLACK HAT DC 2008 -- Hackers are getting more creative and avaricious, and enterprises and government agencies are struggling to keep up, current and former officials said here today.

In a frank assessment of the current state of security in the U.S., two keynote speakers said security professionals are fighting an uphill struggle to defend against an increasingly broad array of threats from cyber criminals..

"Today's hackers are increasingly motivated and persistent, and they're using technologies and practices that are becoming more sophisticated all the time," said Jerry Dixon, director of analysis for the Team Cymru research organization and former executive director of the National Cyber Security Division and US-CERT.

In a recent study, Team Cymru ran 1,066 pieces of current malware against 32 antivirus packages. The AV products detected only 37 percent of the malware. "A lot of people still think that because they have AV tools in place, they must be safe," Dixon said. "We have to help them understand that that's not the case."

Team Cymru has detected some 3.6 million command and control relations on the Web, which suggests a huge growth in botnet traffic, Dixon said. "And that's just what we know about," he says. "With increasing use of P2P and encryption, botnets are becoming very difficult to detect."

Enterprises need to do more to protect themselves against these growing threats, Dixon said. "We're still seeing that most organizations don't know where their data resides and who they're sharing it with." Some companies have not upgraded their router infrastructures for six or seven years, he notes, rendering them too old to take advantage of current security upgrades.

While Dixon offered the long view of Internet security threats, Internal Revenue Service security expert Andrew Frieh offered a look at some of the specific attacks, particularly phishing exploits, that target the U.S. tax service.

"We saw the first IRS phishing site in 2003, and there was only one in 2004," said Frieh, whose official title is Treasury inspector general for tax administration. "Currently, there are more than 1,600 of them."

The IRS is seeing a wide range of attacks that have evolved from these early phishing efforts, Frieh said. In some cases, phishers pretend to be IRS investigators and demand users' personal information. In other cases, the user is presented with an online form that offers a tax refund that can be deposited directly to that user's debit account.

"We'll likely see more of this as we prepare to issue tax relief in the second week of May," Frieh said.

Some phishers have expanded their IRS-related exploits to include "vishing" attacks that encourage users to give up personal information over the phone, Frieh said. The agency even has seen traditional 419 scams that ask the user to send money to a Gmail account, he said.

Most of the exploits emanate from eastern Europe, and the perpetrators generally are happy with even a very low threshold of success, Frieh said. "When you think about where some of these people live, they don't need to make hundreds of thousands of dollars to do well," he observed.

The government is making an effort to stop the growth of these attacks, and it has succeeded in shutting down a number of phishing sites, Frieh said. "But it's like playing a gigantic game of whack-a-mole," he says. "Once we shut down a site, another one pops up in its place."

The IRS also is making a conscious effort to expose vulnerabilities among taxpayers, Frieh said. Many hackers are moving away from direct attacks on Websites and seeking to install keyloggers and other malware, he observed. "Pretty soon there won't be a need for phishing sites," he said. "It'll all be done through keyloggers."

The agency is also taking a close look at P2P vulnerabilities, Frieh said. "Every year we do a P2P scan to see what we can find," he said. "You'd be surprised now many tax returns we can find with a simple scan."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
PUBLISHED: 2020-05-25
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.