Malware

Be on the lookout for these security threats in 2007

As the end of 2006 rapidly approaches, it's time to start thinking about what new security threats a new year will bring. In this edition of the IT Locksmith, John McCormick offers his take on 2007's biggest security worries.

2006 is waning, and it's time to gear up for a new year of security threats. Where will attackers focus their efforts in 2007?

Details

As the end of 2006 rapidly approaches, it's time to start thinking about what new security threats the new year will bring. Despite the large number of new virus, worm, and Trojan reports this year, the amount of significant virus threats shrank to near invisibility.

Meanwhile, phishing and new spam tactics—such as the use of literary quotations to get through filters—ran rampant. However, I don't consider phishing to be a major threat in the corporate setting—yet. While it is a minor problem, sensitive corporate data just isn't something likely exposed in this way.

Spam, on the other hand, is a major expense for businesses. But, despite the new approach of using literary quotes to bypass security measures, my inbox is getting less and less unsolicited e-mail. I guess that means anti-spam filters are beginning to cope—it's certainly not because spammers are reducing their efforts.

But the coast isn't clear quite yet. One thing particularly worrying is the increasing amount of video and image spam. While it's no more dangerous than regular spam, it takes up a lot more bandwidth.

You can also expect that voice over IP (VoIP) implementations will become a bigger target. Companies share a lot of corporate secrets in voice and teleconference calls, so this is a concern you need to keep an eye on. In addition, look for VoIP-related phishing schemes targeting businesses.

Identity theft will continue to grow as a threat—and not just for individuals. Corporate identity theft is also a growing concern. After all, why pick on individuals who have relatively limited assets?

And here's another potential worry: According to an Israeli security firm, PIN numbers are much more vulnerable when using ATMs than previously thought. I haven't been able to pin down the degree of the threat just yet, but it's something to keep in mind.

In addition, companies need to be aware of the indirect effects of these security threats, including how they can affect the business' bottom line. Whether it's lost productivity due to an employee's stolen identity or scams targeting employees at work that could expose the corporate network, threats to individual employees are threats to the company as a whole. That's one more reason to educate users about security threats.

Finally, one thing that likely won't pose a major threat in 2007 is Microsoft's new operating system. Sure, it may turn out to be far less secure than the Redmond giant claims. Regardless, it simply won't be a big player in corporations in 2007 because most IT managers will spend a lot of the year evaluating whether to upgrade now or later. By the time IT's ready to install Windows Vista on any large scale, we should have a pretty good handle on how secure it really is.

Apple patches multiple OS X vulnerabilities

Before you start planning for future security threats, make sure you've patched the current ones. Last week, Apple released updates for a number of known threats in the Mac OS X operating system, patching 31 vulnerabilities in the process.

The threat level for some of these vulnerabilities is critical. Threats include possible denial-of-service attacks, unauthorized system access, and information disclosure. For the appropriate update, check out the Apple Downloads Web page.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

7 comments
tundraroamer
tundraroamer

Yesterday I received a phone call from "Mary" at PC Mall thanking me for calling her last week during her absence? I cut her off and said she was lying. I did not call her, did not know her. In fact I recognized her voice as one that twice I have asked her not to call me again in the past month. And then hung up and fired off an e-mail to PC Mall. It came back as undeliverable even though I sent it from their website. No matter, I had already blocked their URL from our system. This made think of hackers using this approach as an old form of social engineering to gain access by making calls just like this. Perhaps they offer a free gift or something and all they have to do is logon to a website to clam it. And the dirty work is done. Maybe the hacker has already identified the company as a target and only needs a secure way in. Maybe they could even hire ?legitimate? telemarketers to do the calling further hiding their activities. You get the idea. As security tightens, so will the creativity of those trying to break it. Companies need to train employees on this type of attack as well. Care to talk about phone systems being hacked?

Tech Locksmith
Tech Locksmith

Actually, a friend of mine used to work at MITRE, which may not mean much in this context unless you remember that the hacker who Cliff Stoll http://en.wikipedia.org/wiki/Clifford_Stoll tracked down broke into MITRE's phone system, kinda scary when you note that MITRE's main client is the U.S. Govt and they are just down the pike from the C.I.A. in McLean VA Of course showing up the FBI isn't necessarily a good career move even for a physicist, Cliff is now selling Klein bottles on the Web and teaching eight graders, probably challenging, but what I, as a physicist, consider a bit of a step down from solving the secrets of the universe. Cliff may disagree, I don't know him personally.

tundraroamer
tundraroamer

Which is how our phone system was hacked. They found an unused voice mail box on our system and reprogrammed it with a call forward feature using 101020(I think) and we got the bill for calls going to the Philippines and India. They would call the direct number, forward the call and the operator would ask to confirm the charges to the callers number (ours) which they would mumble something like yes to disguise their voice. They hacked a bunch of systems in our town that week that nearly all happened to use the same vendors phone system. We use a controlled long distance code for dialing but they got around it. I then got a visit from the Secret Service who flew up from Portland because they happened to hack the Federal Court System here at the same time and they were investigating. He said that the hackers set up these numbers and then sell them to people who want to make free phone calls home. They use cell phones that are harder to trace. I learned a few things about phone hacking in the process. I traced some of the calls to other business that were also being hacked and were located in other States. These were also being called from our own system during the call forward to apparently try and cover their tracks. It was sad because of the response I got. They didn?t care. Who would notice a few hundred dollars extra on the monthly bill. We did. Thanks to AT&T (who is not our carrier) who tipped us off as to what was happing the day it started. They were on top of it and caught the dialing pattern only hours into the theft. If you have direct dial phones, make sure you password protect the voice mail boxes with not so easy numbers ?DO NOT use keypad patterns as those can be guessed as well. Disable any unused voicemail numbers.

w2ktechman
w2ktechman

recently was called on the phone. He was told that an item that he had purchased was shipped yet. Since it had gone beyond the normal timeframe of shipping, he was asked to cancel the order, or have the item shipped (needed verification). They told him his bank account # and stated that they needed his permission to put back his funds ($298). In this account, that is all that was in there (funny, huh). He didnt think twice, stated yes, and so they took the money out (instead of adding it back in). Other thoughts, he told me that he didnt even order anything costing that much, nor was aware of their product. And he thought that it could not be theft because they gave him his account #. His account was empty an hour later when he went to the bank for gas money. So beware of stupid phone calls like this.

Tech Locksmith
Tech Locksmith

Does your company offer any information/training on personal security at home and work? After all, you already need to teach them how to protect the company computers and it is an inexpensive perk you can offer, would enhance the standing of IT security by showing they do more than keep the network traffic moving, and any employee hit by ID theft or even credit card fraud is unlikely to be fully productive. Seems like a win-win to me.

contact-pro
contact-pro

1. I use Firefox for a Browsr and Thunderbird fo an e-mail client. 2. I set Thunderbird to show the ** FULL HEADER ** 3. I forward every Spam and/or Phising message to : A. SPAM@UCE.COM (the Federal agency for Spam) B. ABUSE@FTC.COM (this is for the un-licensed drug sellers) C. I start every forwarded message with the following. " *** HEADER INCLUDED *** Here we go again !! These people obtain a "Throw away" e-mail account, mass mail from CD Rom lists purchased over the Internet and then go to a different e-mail account to do it all over again. The only way to stop them is to go after the persons and/or companies that are paying them: I. E. The link given to the recipient to purchase the goods and/or services offered in the SPAM. *** F O L L O W T H E M O N E Y *** I use Earhlink as my provider and their filter systems "SUCKS". At one time, I was receiving up to 50 - 75 junk e-mails a day, now it's down to 4 or 5. Somebody ** MUST BE DOING SOMETHING ** Try it, if enough people do it, the FED's will just have to get up off of their *** BIG FAT SWIVELL CHAIRS *** and really do somethng. NOTE TO MODERATOR: Please do not release my e-mail address

w2ktechman
w2ktechman

for being 'shadow IT' for a legal dept. we sent out emails to the department before every holiday. In these emails were tips and tricks to use common applications for the most part. But we also sent out informational things such as 'helping to secure your home wireless connections' and 'help to avoid ID theft' among many others. These docs were usually written by me, and the Legal manager receives lots of favorable feedback from each of them. Too bad the company decided that they can do without specialty IT or shadow IT.

Editor's Picks