The SANS Institute, which operates the GIAC security certification program, released updates to its Top 20 Internet Security Vulnerabilities last week. Although there were a couple of fairly predictable threats—such as continued discoveries of zero-day vulnerabilities in Internet Explorer—there were a few major surprises on the list as well.
One of these revelations included a spike on attacks on database technologies such as access systems, warehouses and back-up. Notably, these include Oracle, Veritas and SQL Injection. “The most interesting of those is the back-up attacks, because you only back up your most sensitive information,” said Alan Paller, the SANS Institute’s director of research. “If you have a back-up system where you haven’t encrypted the data and the back-up system is vulnerable, you’re basically posting all of your most sensitive data on the Internet, where everybody can get to it.”
All of this points to a new trend of attacking the data instead of the system, he added. “None of those alone would have been a pattern, but all of these together show that they’re going after the data. Most of the attacks you saw for a long time were system attacks or user attacks—viruses that were downloaded through a user opening an attachment. The new ones have three different dimensions to them. It looks like it’s just an efficiency thing on the part of the attackers because ultimately there’s high value in the data.”
Another disconcerting trend was the rise of so-called spear-phishing, or highly targeted e-mail-based attacks, most of which are aimed at national security and defense organizations. Part of the reason this trend isn’t especially well known is that it’s intentionally unpublicized, Paller said. “The military says, ‘That’s classified.’ Whether it ever happened or not, they’ll never tell you. My problem is that they won’t fix it. There’s actually way to fix spear-phishing, but it’s hard. You basically have to run inoculation programs. You have to run private spear-phishing attacks against your employees, and when they fall for it, you have to say, ‘You don’t want to do that.’”
Other developments in the SANS announcement suggest that all of the Microsoft competitors who derided the lack of security of the company’s software might have been residents of glass houses throwing stones. For instance, Firefox and Mozilla were mentioned as having increases in critical vulnerabilities. “With 20 million users, it’s a big enough market,” Paller said. “People are already covering all the vulnerabilities in Internet Explorer, so other innovative attackers have decided to go after the smaller but less crowded Firefox user market.”
Also, the amount of vulnerabilities discovered in Apple’s MacOS/X has shot up recently, more or less coinciding with the company’s conversion to the Intel processing chip. “It’s not at all clear that Apple ever had fewer bugs than Microsoft,” Paller said. “It was just that nobody was looking for them, so who cared?” However, in a weird way, the number of vulnerabilities discovered is a kind of compliment—an indicator that a lot of people out there use your product. “You don’t find a spike in vulnerabilities unless people are going after them,” he explained. “You discover vulnerabilities because people are looking for them, and they’re looking for them because people are using them.”
For more information, see http://www.sans.org.