Fearsome Decade

2:00 PM -- It's now been 10 years since the birth of the IT security industry as demarcated by Sun Microsystem's reselling of Check Point Software’s firewall on its hardware platform. That decade has been marked by dire predictions of cyber warfare, hackers, and the dreaded disgruntled employee. A decade ago, the biggest threat was thought to be the pimply teenager from Canada, the sort responsible for Web defacement such as the headline garnering attack on the New York Times homepage. Then they were credited with the creation of worms and viruses that had significant and devastating consequences for many organizations. But in light of rootkits, botnets, and worse, it won't be long until those days of battling viruses and malware are viewed as an innocent time of unfettered usage of the Internet.

The last 18 months have seen the rise of a cyber crime wave that is unchallenged and unabated. This crime wave takes several forms, but they are all interrelated. The dual scourges of adware and spyware that have infected most computers with dozens of unwanted programs that bog them down and even make them unusable is very familiar to any Windows user.

The criminal aspect to adware and spyware is in the way the software sneaks on to the computer using drive-by downloads or elaborate social engineering embedded in the end-user license agreement. Many of these are bundled with shockware such as stock tickers, weather tool bars, or screen savers. The distributors and creators of adware and spyware make money by forcing pop-up ads down to the PC. Each presentation of an ad generates revenue.

Documentation from the recent filing against New York’s Direct Revenue by Elliot Spitzer’s office reveals just how lucrative the business can be. The executives took $27 million out of Direct Revenue in 18 months. Each time a user clicks on an ad, that generates even more revenue. I estimate that this click-through adware industry represents over $2 billion in annual revenue, about one-sixth of the legitimate online advertising market.

But times are tough for this industry. There are many anti-spyware products, and legislation is making it illegal in the US and Europe. The bad guys are moving on to richer targets. The richest targets are stores of data that can be used to generate cash. Attacks against Lexis-Nexis, BJ Wholesale, and CardSystems have been successful and led to the loss of millions of records and uncounted profits for the attackers. CardSystems, a credit card processor, was forced out of business thanks to a data breach that exposed tens of millions of credit card records. Its assets were sold to Cybersource after the major credit card associations withdrew their support.

In 2004 the largest bank heist in history went unmarked by most of the financial press. It was revealed in October of that year that local authorities had stymied an attack on Sumitomo Mitsui's bank branch in the heart of London's financial district. The thieves masqueraded as the cleaning staff and with the assistance of a bank guard installed hardware key stroke loggers on critical PCs within the branch. The surreptitious devices were then used to harvest administrative passwords that allowed the bank robbers access to the PCs that were used to execute inter-bank wire transfers over the SWIFT network. The attackers then proceeded to transfer over $400 million to 10 different accounts around the world. To date, only one arrest has been made in the Sumitomo case. Bank officials claim that no funds were permanently lost. The question remains: What happened to the bank robbers? Are they even now targeting their next victim?

There is another frightening development in the world of cybercrime. That is the effective use of Distributed Denial of Service (DDOS) attacks to extort money from high-volume transaction sites on the Internet. The attack is usually prefaced with an email demanding funds, and the threat of a massive amount of Internet traffic innundating the target asset. Because online gambling sites, which are hosted in Costa Rica and other off-shore locales, were the first targets these attacks gained little notice. As these sites learned to protect themselves with redundant servers, high-end routing infrastructure, and huge amounts of available bandwidth, the perpetrators moved on to other targets.

The middlemen for online gambling are transaction processors that accept credit cards and funnel the money to the gaming sites. They too have begun to suffer from these extortion attempts. Any organization that sees a significant source of revenue from their Web assets is at risk of being targeted by a DDOS attack. This includes e-commerce sites, foreign exchanges, online brokerages, even the major stock exchanges.

For the last ten years it has been possible to hide in obscurity from targeted attacks. The time is rapidly approaching, less than 12 months by my estimate, when security by obscurity will no longer be viable. As the cyber criminals consolidate their earnings from successful attacks they are systematically seeking new targets. They are seeking out any organization that handles large volumes of credit card transactions to either steal that information or threaten an outage in exchange for money. Think that's overblown? Just last week, they targeted popular sites such as Google and eBay. It is time to revisit your risk assessment scenarios and include the certainty that your vulnerable online assets will be targeted in the coming months.

— Richard Stiennon is founder of IT-Harvest Inc. Special to Dark Reading