Smartphone attacks, rogue antivirus, cloud breaches top 2010 security concerns

The rise of the Conficker worm and Heartland Payment Systems' enormous data breach were two defining security events in 2009. What's in store for 2010?

"It's going to get worse," says Patrik Runald, senior manager of security and research at Websense, who argues there has not yet been a year when things got better in terms of security and the wider Internet. Criminals have been mastering botnets, phishing scams and fake antivirus software sales, and 2010 will bring new waves of attacks that exploit fresh targets. Specifically, smartphones such as the Apple iPhone and those based on Google's Android operating system will be in attackers' line of sight for 2010, Runald says.

New laws complicate security efforts in 2010

While a handful of malware attacks have surfaced of late against "jailbroken" iPhones (ones whose owners have deliberately disabled Apple controls), it's only the beginning.

People are jailbreaking their phones to "get out of what they see as a stranglehold by Apple so they can install what they want," Runald says, but one effect is that "they're opening themselves to greater risk."

As attackers accelerate malware attacks against jailbroken phones, the dilemma, Runald says, is that vendors "cannot develop an antivirus application for the iPhone" because of the way Apple engineered it to preclude low-level access. "There's no way you can intercept file transactions," Runald says. Though security vendors might eye writing antivirus software for iPhones, "no one will do it" because of the nature of the iPhone's underlying design.

Khoi Nguyen, group product manager at Symantec, also says the current iPhone SDK doesn't allow third-party vendors to conduct the background processes for malware prevention that involve deep scans and checks for file protection. "We're hoping Apple will open up its SDK," Nguyen says.

Smartphones based on Google's Android present a different situation. Google has not made itself the gatekeeper of applications, but malware disguised as helpful applications could end up on Google application stores and people could end up downloading malicious code, unaware of the consequences.

Another accelerating security trend is the wave of criminals selling rogue antivirus software. Fake antivirus software is often called "scareware," since frightening the PC owner is often part of the scam. Rogue antivirus, which Symantec counts as a top threat going into 2010, is not only thriving, but criminals selling it are starting to display new tricks.

"They're selling and re-branding copies of software that could have been downloaded for free elsewhere," says Zulfikar Ramzan, technical director at Symantec Security Response, which has tracked several hundred distinct rogue antivirus software products and 43 million attempts to download it in the latter part of 2009. Social networking sites are becoming a way to disseminate it.

An emerging security concern in 2010 is the potential for cyber-criminals to abuse cloud computing, says Tom Cross, X-Force advanced research manager at IBM. It's already starting to happen, he says, though incidents aren't yet getting much publicity.

Cross says cybercriminals are using stolen credit cards to pay cloud service providers to host virtual machines, exploiting these cloud services to operate command-and-control and attack components of a botnet to carry out denial-of-service attacks, network intrusions and more.

They might get a month's free ride with a phony credit card, and then move on. "We're seeing this happen," Cross says. The issue for legitimate companies is how their cloud service provider plans to handle such incidents -- especially since legit customers might end up sharing a physical server with a criminal in a virtualized environment, Cross points out.

"As a policy, people should insist that cloud computing vendors have a lot of knowledge about their customers," Cross says. Legit customers could find themselves impacted if they share the same server as a criminal.

Trend Micro also says cloud computing is a priority spot to watch in 2010. In particular, there are potential security issues associated with doing business on Amazon that businesses should be aware of, says Andy Dancer, Trend Micro's CTO for encryption.

"The move to the cloud is the next big architecture change we see, so the question is, what are the new threats that come along with that platform?" Dancer asks.

Seven cloud computing security risks

"Amazon is definitely out there at the forefront right now with their EC2 services," says Dancer, so it's worth examining Amazon and its customers as a target of attack. One specific type of attack against Amazon and its customers could involve the Amazon set of APIs used for data-sharing, which are public. Used by customers for uploading, downloading, or rebooting machines among other purposes, the Amazon APIs could be used by an attacker to commit a data breach and take machines offline, for instance. Although Amazon uses a good public-private key mechanism for security with its APIs, the point of attack would more likely be subversion through manipulation of reset processes, for instance, rather than trying to break keys, Dancer notes.

In general, cloud computing allows virtual machines to sit side by side, Dancer points out, "and you have to put a perimeter around your virtual machine because the guy trying to break into you may be sitting right next to you."

One cloud-computing effort announced in November that's certain to be watched in 2010 is that of Cisco and EMC, which together with VMware announced the Virtual Computing Environment coalition to offer fully integrated "infrastructure packages" that combine virtualization, networking, computing, storage, security and management technologies. They also announced Acadia, a joint venture to foster build-outs of private cloud infrastructures for service providers and large enterprise customers.

But will encryption services be part of it?

"Encryption services in the cloud? I just don't think it will be here in 2010," says Sam Curry, vice president of product management at RSA, the security division of EMC (which also owns about an 85% share in VMware). "This has to be done in proportion to customer demand, and being ahead of the market is as bad as missing it," Curry says.

Ted DeZaballa, national managing partner for security and privacy at the Deloitte US consultancy, says he doesn't think there will be widespread adoption of cloud computing in 2010 based on feedback Deloitte gets from its client base. One reason is security concerns that potential cloud adopters have.

But to DeZaballa, the biggest threat in 2010 is organized crime that stealthily moves to exploit an individual's computer in order to infiltrate the larger enterprise. Organizations "simply don't understand how exposed they are," he says.

And non-Windows users won't be spared security headaches in 2010, many agree. Although Microsoft Windows-based machines have been the main targets of attacks such as drive-by downloads that exploit unpatched software, many believe that 2010 is going to be a time when other systems, including Mac and Linux-based computers, get more attention from attackers.

"Most of the attacks have been built around the Windows environment," DeZaballa says. "But the trend in 2010 will be more attention to others, such as Linux and Mac."

Macs in the enterprise appear to be on the upswing, "and the Apple Mac sees tons of vulnerabilities that could be used for malicious downloads," Runald says. "Today there are no drive-by attacks on Macs but next year it's coming."

This story, "Smartphone attacks, rogue antivirus, cloud breaches top 2010 security concerns," was originally published at Follow the latest developments in network security at Network World.

More from IDG:

Original story