That’s the word from the IBM X-Force 2012 Mid-Year Trend and Risk Report, which shows that a continuing trend for attackers is to target individuals by directing them to a trusted URL or site that has been injected with malicious code. Through browser vulnerabilities, the attackers are able to install malware on the target system. Further, the growth of SQL injection, a technique used by attackers to access a database through a website, is keeping pace with the increased usage of cross-site scripting and directory traversal commands.
IBM also noted that attackers are no longer primarily attracted to the Windows universe. The user base for the Mac operating system continues to grow worldwide, so it is increasingly becoming a target of advanced persistent threats (APTs) and exploits.
“We’ve seen an increase in the number of sophisticated and targeted attacks, specifically on Macs and exposed social network passwords”, said Clinton McFadden, senior operations manager for IBM X-Force research and development. "As long as these targets remain lucrative, the attacks will keep coming and in response, organizations should take proactive approaches to better protect their enterprises and data."
At the mid-year point in 2012, IBM sees an upward trend in overall vulnerabilities, with the possibility of an all-time high by year-end. Even so, IBM X-Force data continues to demonstrate declines in true exploits, with only 9.7% of all publically disclosed vulnerabilities subjected to exploits. That’s mainly due to improvements from the top ten vendors on patching vulnerabilities and a significant decrease in the area of portable document format (PDF) vulnerabilities. IBM said that that this area of improvement is directly related to the new technology of sandboxing provided by the Adobe Reader X release.
Sandboxing technology works by isolating an application from the rest of the system, so that if compromised, the attacker code running within the application is limited in what it can do or access. Sandboxes are proving to be a successful investment from a security perspective, IBM noted. In the X-Force report, there was a significant drop in Adobe PDF vulnerability disclosures during the first half of 2012, which coincides nicely with the adoption of Adobe Reader X, the first version of Acrobat Reader released with sandboxing technology.
In terms of mobile security, the BYOD phenomenon continues to be the main game-changing transformation. Many companies are still in their infancy in adapting policies for allowing employees to connect their personal laptops or smartphones to the company network.
While there are reports of exotic mobile malware, most smartphone users are still most at risk of premium SMS scams, which automatically send text messages to premium phone numbers in a variety of different countries automatfrom installed applications. There are multiple scam infection approaches for this, such as offering users an application that looks legitimate in an app store but only has malicious intent; presenting an application that is a clone of a real application with a different name and some malicious code; or hacking a real application to wrap it with malicious code. The latter is typically presented in an alternative app store.
Passwords in the cloud services era is another rising focus, IBM said. The connection between websites, cloud-based services and webmail provides a seamless experience from device to device, but users should be cautious about how these accounts are connected, the security of their password and what private data has been provided for password recovery or account resetting.
“X-Force recommends the use of a lengthy password comprised of multiple words instead of an awkward combination of characters, numbers and symbols, researchers said. “On the server-side, X-Force recommends encrypting passwords to the database using a hash function that is suitable for password storage. The hash function should be computationally expensive to calculate and use a salt value for each user account which helps limit the effectiveness of 'rainbow tables' and brute force dictionary attacks.”
Early in 2011, IBM X-Force declared it the year of the security breach. Enterprises both large and small were targeted. The overall breach trend continues into 2012, IBM said, with the healthcare industry in particular seeming to have been hit hard.
“While security products and technology could have mitigated many of these unfortunate events, we are seeing more than ever how systems interconnectedness, poor policy enforcement, and human error, is far more influential than any single security vulnerability,” IBM researchers noted. “We’ve seen several headlines regarding cases where digital identities were decimated, not through malware, key loggers, password cracking or even through access of the victim’s computer or device. Instead, the bad guys accomplish their nefarious deeds by culling a small amount of personal data from public sources, using clever social engineering tricks and depending upon the loose policies of a handful of companies who we trust with our private data. Now, more than ever, the delicate balance between security, convenience and privacy takes center stage.”
In one case, attackers bypassed two-factor authentication – commonly thought to be almost failsafe – simply by convincing a mobile phone provider to relocate a user’s voicemail, giving attackers the data they needed to reset a password. In another, the last four digits visible on one site was used by another service as a key piece of identification data, and used to reset the account. For each one of these types of high profile incidents, there are hundreds of similar breaches going on beneath the radar.
Through the disclosure of breaches in 2012, IBM continues to see SQL injection reigning as the top attack technique. In addition, attackers seem to be taking advantage of cross-site scripting vulnerabilities for web applications. Over 51% of all web application vulnerabilities reported so far in 2012 are now categorized as cross-site scripting.
Even with all of this abundant attack activity, IBM points out that there are bright spots as well.
“Spam and phishing levels remain low with the take down of botnets in 2011, and as recently as July 2012, we witnessed yet another botnet take down with the removal of Grum”, the IBM report noted. “The data clearly demonstrates declines from this activity. Positive web trends continue with the adoption of IPv6 technology. Currently, enterprises and governments taking advantage of IPv6 find less malicious activity occurring, although we don’t know when attackers will decide to adopt IPv6 technology.”
Overall, going forward IBM concludes that a more holistic approach to the entire ecosystem is required. Users should become more aware of how visible their personal data is online, more aware of who has access to it, and more aware of how it can be used against them. This affects not only their social networking, but also their choices of mobile application selection and usage.