The Threats To Come

As security pros protect their applications and networks from today's most common attacks, hackers are preparing to wage new wars. As new technologies such as Web services, radio-frequency identification, and smart phones loaded with complex operating systems become prevalent, new attack techniques against business-technology systems will follow.

Hey, it's nothing personal--it's just business. The days of the hacker interested in intruding upon networks, cracking systems, and writing viruses and worms for the joy of the challenge or the mischievous thrill are turning into the days of the hacker as profit-motivated mercenary. The profit to be made through identity theft, corporate espionage, or using hacker skills to attack business competitors will continue to rise (see Extortion Online).

And so must your vigilance. "It's common for security professionals to continue to focus on fighting their most previous battles," says Pete Lindstrom, research director with Spire Security. "But it's important to prepare for the next front line."

Here's a look at some of the new front lines you'll be defending:

Complex Web Attacks
Last month one of the most complex attacks to strike the Internet targeted unsuspecting Web surfers who visited certain Web pages. Attackers infiltrated an Internet marketing company's server and redirected Web surfers who visited sites displaying banner ads transmitted via the infected ad network to sites containing malicious code. The attackers targeted a yet-to-be patched flaw in Microsoft Internet Explorer. The attackers also used an OpenSSL flaw in open-source Apache Web servers as part of the attack. Earlier this year, hackers attacked Web surfers via another Internet Explorer flaw by infecting Web sites and attaching malicious code to JPG image files.

Security experts predict attackers will continue to devise multipronged attacks like this, which exploit several security weaknesses in software as well as weaknesses brought by Internet companies, to spread their malicious code as quickly and to as many people as possible (see Hackers Take Aim At Ad-Server Networks.

Web-Service Attacks
As more companies deploy Web services, security experts predict hackers will find weaknesses in both Web-services security standards and companies' implementation of these relatively new standards. Expect attackers to attempt to tamper with Web-services transaction data, deploy transactions that could contain potentially malicious payloads, and launch denial-of-service attacks (see Motorola Secures Web Services).

Spyware Threats
Spyware is one of the fastest-growing Internet threats (see Tiny, Evil Things). Unlike worms, viruses, and denial-of-service attacks, which are obvious when they strike, the crafters of spyware don't want their work to be discovered. They'll create more clandestine versions of spyware apps, such as adware, Trojan horses, and keystroke loggers that could take weeks or longer for antivirus companies to discover.

Cell-Phone/Mobile-Device Attacks
So far, attacks against cell phones have been what's called "proof-of-concept" attacks. Virus authors have written applications such as the Cabir virus, which spread via Bluetooth, and the Skulls Trojan, which disguised itself as a cell-phone wallpaper or ring tone but actually disabled some cell-phone functionality and turned icons on the screen into images of skulls (see Worm Is First To Target Mobile Phones).

RFID Vulnerabilities
Expect hackers to exploit weaknesses in RFID tags to attempt to wreck havoc on supply-chain systems by changing details stored on the tags, including pricing and the actual product. Hackers are also likely to attempt to attack the back-end systems that store and share RFID inventory information (see RFID's Security Challenge).

Return to the story: New Threats Ahead