By Mark Sutton
Web 2.0 sites, mobile phones, VoIP and even RFID networks likely to be new means of attack
A report released by the Georgia Tech Information Security Center (GTISC), one of the leading independent security research institutes, warns that 2008 is likely to see a wide range of new threats to information security.
The report, which was presented as part of the GTISC annual summit held in the US yesterday, suggests that hackers will likely turn their attention to advanced Web 2.0 websites, mobile phones, Voice over IP networks and even RFID tags to make attacks.
The increasing involvement of organized crime syndicates in online theft is leading to more sophisticated hackers who are motivated by financial gain, rather than personal reasons, according to the report, leading to more sophisticated attacks, that often combine different techniques and look to exploit developing technologies that are not as well protected as existing systems.
Among the trends identified by the report was the increasing vulnerability created by Web 2.0 sites such as blogs, social networking, wikis and RSS feeds. Because these sites have more complex content, they require a lot more code to be executed on the user's browser, which in turn allows hackers to embed malicious code that is then automatically executed.
As Web 2.0 sites often use data from different sources, such as a retail store site using Google maps to display locations, so-called ‘Mashup' technology, make it more difficult for security systems to validate the integrity of the code. Hackers are also embedding spam and malicious code into other types of content, such as instant messaging, shared video content and business documents like PDF and Excel files.
"Attackers will continue to post malicious links as part of the user's everyday online activity - at the end of an IM string, in a YouTube video or embedded in an Excel spreadsheet," said Paul Judge, senior vice president and chief technology officer, Secure Computing.
Hackers are also turning to converged communications networks as a means of stealing data or generating revenues. The number of mobile phone viruses is expected to expand, but attacks are also starting to include financial scams including spam delivered by VoIP telephony, ‘vishing' - VoIP phishing, and even SMS phishing - ‘smishing'.
Other predicted developments in security threats include networks of compromised PCs, or Botnets that are more likely to be used for fraud and corporate espionage, rather than Denial of Service (DoS) attacks, and that are also likely to be formed via P2P networks, making them much harder to block; and also possible exploitation of RFID technology. The report suggests that the largely unprotected RFID technology will increasingly come under threat as it becomes standardized and the hardware becomes more widely available, given hackers the opportunity to develop new ways to exploit the system.
Chris Rouland, chief technology officer, IBM Internet Security Systems said: "The inherent danger in attacking RFID systems is that if a virus is placed on an RFID chip, the RFID reader picks it up and quickly spreads throughout the system. As RFID systems continue to gain popularity in 2008, particularly with credit cards and other personal and financial systems, this vulnerability will be a major threat for years to come."
The report was compiled by GTISC and its Emerging Cyber Threats panel, which includes experts from IBM, McAfee, Secure Computing, SPI Dynamics, Symantec and the US government National Security Agency.