http://www.theregister.co.uk/2008/01/14/sans_threat_list/
By John Leyden
The Register
14th January 2008
Security experts have looked into the crystal ball to predict the cyber
attacks most likely to cause substantial damage this year.
The resulting list (below), drawn together by 12 security experts under
the auspices of the SANS Institute, is based on an analysis of emerging
attack patterns. Two of the resulting predictions - malware on consumer
devices and web application security exploits - have already come true
in the early days of 2008, evidence that that the run down is closer to
the mark than other security predictions.
As is often the case browser exploit came out as the top threat in the
run down but the risk is evolving. Web site attacks have migrated from
simple exploits to more sophisticated attacks based on scripts that
cycle through multiple exploits to yet more sophisticated attacks
featuring packaged modules. One of the latest such modules, mpack,
produces a claimed 10-25 per cent success rate in infecting surfers.
Attackers are actively placing exploit code on popular, trusted web
sites where users have an expectation of security. Placing better attack
tools on trusted sites is giving attackers a huge advantage over the
unwary public. Meanwhile attackers have broadened the scope of the
vulnerabilities they target to encompass components, such as Flash and
QuickTime, that are not automatically patched when the browser is
patched.
Evolution in existing threats - including stealthier botnet control
techniques and more subtle social engineering approaches in phishing
attacks - is a theme that runs through the whole list.
1. Increasingly sophisticated website attacks that exploit browser
vulnerabilities - especially on trusted websites.
2. Increasing sophistication and effectiveness in botnets
3. Cyber espionage efforts by well resourced organisations looking to
extract large amounts of data particularly using targeted phishing.
4. An increase in mobile phone threats, especially against iPhones and
Android-based phones.
5. Insider attacks
6. Advanced identity theft from persistent bots. Malicious agents that
stay on compromised machines for months will be able to gather enough
data to enable extortion attempts (against people who surf child porn
sites, for example) and advanced identify theft attempts where
criminals have enough data to pass basic security checks.
7. Increasingly malicious spyware
8. Web application security exploits
9. Increasingly sophisticated social engineering including blending
phishing with VoIP and event phishing. For example, a blended attack
may include an inbound email, apparently being sent by a credit card
company, asks recipients to "re-authorise" their credit cards by
calling a 1-800 number. The number leads them (via VoIP) to an
automated system in a foreign country that, quite convincingly, asks
that they key in their credit card number, CVV, and expiration date.
10. Supply chain attacks infecting consumer devices (USB thumb drives,
GPS systems, photo frames, etc.) Retail outlets are increasingly
becoming unwitting distributors of malware-infected devices, the
experts warns.
The list will be formally launched at the SANS Security 2008 conference
in New Orleans later on Monday (14 January).
Received on Tue Jan 15 00:23:28 2008