In comedy, a hack is someone who steals material and re-tells the jokes or rides the coattails of another comedian (I still remember Kenny Bania telling Seinfeld, ‘That’s gold, Jerry. Gold!!) In Information Technology, a hack can either mean a quick non-standard fix to make something work OR to modify a program to gain access that otherwise would be unavailable. As an aside, there is a bit of controversy over the term hack/hacker as they have evolved over the years and some don’t like the connection between ‘hacker’ and ‘security cracking.’ Once the mass-media started identifying those who had criminal intents as ‘hackers,’ the general population added it to their vernacular and didn’t distinguish between white or black hats much to the dismay of the computer community.
Now to the numbers. Even back in 2001, Gartner mentioned that 75% of cyber attacks & Internet security violations are generated through Internet applications. Today, probably 70% of the attacks are now specifically targeting Layer 7. Malware is mostly about stealing and harvesting data. During the height of the economic downturn, especially during October & November 2008, the financial crisis was fueling online crime – not to mention the disgruntled workers who had gotten laid-off. In 2008, Data theft Trojans increased 1,559% and Malware increased 582% with many of the attacks aimed at the energy/oil industry and transportation sector. Yes, we hear about the retail and financial attacks but energy and transportation could be considered infrastructure, to some extent, and those areas are attractive to those who want to disrupt basic services. One of the best stories I’ve read was from IBM. Their Internet Security Systems said they were seeing 450,000 web-infecting SQL injections a day. That’s a lot but not the whole story. During the first 5 months of 2008, they were only blocking around 5,000 SQL attacks a day. By June, that number was up to 25,000 a day and just before Halloween, 450,000 SQL injection attempts were made a day. The June full day numbers were now happening every hour. The most common ways of delivering malware is either through pdf or flash initiated with XSS or SQL injection. Jeremiah Grossman of WhiteHat lists his Top Ten Web Hacking Techniques of 2008 here.
2009 brought more focus in the ways ‘hackers’ gain control both due to media coverage of high scale breaches and regulatory compliance deadlines. SANS published their Top 25 Most Dangerous Programming Errors in an attempt to help both software developers and software customers understand some of the most critical issues facing code development. The OWASP Top 10 also seemed to get renewed interest even though it’s still the 2007 edition. (I believe they are working on a v2009 based on the OWASP message site and the working session page).
If all that wasn’t enough, both Cybersquatting and ATM hacks also garnered press. The World Intellectual Property Organization (WIPO) handled 2,329 cases under its dispute procedure for Internet page names and someone even tried to hack the hackers at Defcon last month. Almost any celebrity death, major sporting event, or any other situation which gains major headlines, can also bring malware. If you allow remote Tele-worker access, make sure you scan the security posture of their device prior to entry. Prevention? Stay up to date on patches, AV/FW definitions, don’t click thru unknown emails & pop-ups but most importantly, be careful out there.