http://www.vnunet.com/News/1130755 By James Middleton [09-04-2002] Hacking tools are becoming increasingly sophisticated The Computer Emergency Response Team (Cert) has released a report pinpointing the six fastest evolving trends in the black hat world of internet security. The organisation, which has been monitoring hacker activity since 1998, found that the most notable trend to evolve over recent years is the automation and speed of attack tools. Although widespread scanning over the internet has been common since 1997, today's tools are set to maximise impact and speed. Freely available attack tools now exploit vulnerabilities as part of the scanning process and are capable of self-initiating new attacks on a well-managed and co-ordinated global scale. "We've seen tools like Code Red and Nimda self-propagate to a point of global saturation in less than 18 hours," said Cert. Public communications protocols such as IRC and Instant Messenger have now become popular methods for co-ordinating attack tools. The tools are more sophisticated, and their signatures are more difficult to discover through signature-based systems such as antivirus software and intrusion detection systems. Attack tools are capable of disguising their nature, varying their patterns and making use of polymorphic techniques to upgrade or replace portions of themselves. Commonly used protocols such as IRC or HTTP are being used to disguise malicious code among legitimate network traffic. Cert also warned that the number of vulnerabilities discovered has more than doubled each year, making it nigh on impossible for administrators to keep on top of patches. "Intruders are often able to discover these exemplars before the vendors are able to correct them," warned the authority. The increasing permeability of firewalls is also posing a problem, as security is being sacrificed to convenience. More technologies are being designed to bypass firewalls, such as IPP (the Internet Printing Protocol) and WebDAV (Web-based Distributed Authoring and Versioning). While marketed as being 'firewall friendly' these technologies are actually designed to bypass typical firewall configurations. Other examples include aspects of 'mobile code', such as ActiveX, Java and JavaScript, which make it harder for malicious software to be discovered. Because security on the internet is, by its very nature, highly interdependent, another increasing threat to each system's exposure to attack depends on the state of security of the rest of the systems attached. A single attacker can relatively easily employ a large number of distributed systems to launch devastating attacks against a single victim. Cert found that the increasing threat from infrastructure attacks takes on four general methodologies. Distributed Denial of Service attacks use multiple systems to attack one or more victims. Cable modem, DSL, and university address blocks are increasingly targeted by intruders planning to install these attack tools. Worms, or self propagating malicious code, couple a highly automated nature with the relatively widespread number of vulnerabilities still unchecked, to compromise a large number of systems within a few hours. Code Red infected more than 250,000 systems in just nine hours on 19 July last year. Domain Name System architecture is also being targeted more frequently. The 13 top level domain servers for .com, .net and .org, along with those managing the country level domains, have long been considered a single point of threat in internet security. And routers are increasingly being targeted, because they can be used as attack platforms against the rest of the internet infrastructure. Cert said that the largest impact of these security events may well be the time and resources required to deal with them. Analyst firm Computer Economics recently estimated that the total economic impact of Code Red was $2.6bn, and that SirCam cost another $1.3bn. The 11 September attacks will cost around $15.8bn to restore IT and communication infrastructure. The full report can be found here. http://www.cert.org/archive/pdf/attack_trends.pdf - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Apr 10 2002 - 05:02:05 PDT