Report: Hackers to Target Web 2.0, Mobile, RFID Technologies in ’08

A U.S.-based information security think tank has released a report detailing what it predicts will be the top five cyber threats in 2008.

The Georgia Tech Information Security Center (GTISC), a group of Georgia Tech faculty members from its College of Computing, School of Electrical and Computer Engineering and the Georgia Tech Research Institute, among other university entities, is a National Center of Excellence in Information Assurance Education dedicated to researching and spreading the word about new and upcoming cyber threats.

The first annual GTISC Emerging Cyber Threats Forecast for 2008 was released earlier this month at the group’s annual security summit, which featured leaders from such organizations as Google, IBM Internet Security Systems, McAfee, Symantec and the National Security Agency (NSA). Various representatives from participant companies contributed to the 2008 forecast.

“Attackers have become far more sophisticated and to maximize their chances of success, they will try to reach larger number of devices and computers via newer attack vectors that are not already widespread and well known,” said Mustaque Ahamad, GTISC director.

GTISC predicts that the following five cyber threats will increase and mature in 2008:

1. Web 2.0 and Client-Side Attacks
2. Targeted Messaging Attacks
3. Botnets
4. Threats Targeting Mobile Convergence
5. Threats to RFID Systems

Monetary gain—as opposed to personal glory or notoriety—is and will continue to be the motivating factor for cybercriminals, according to GTISC.

GTISC predicts hackers will develop and execute several cyber threats over the coming year.

Web 2.0 and Client-Side Attacks

Web 2.0 technologies make online applications richer by providing functionality that boosts and enhances user interaction with Web pages—often through the use of the AJAX programming language. That means more of the code behind a page is executed on users’ browsers, or on the client side, and hackers can take advantage by implanting malicious code that will be automatically executed by the browser on seemingly harmless websites.

GTISC predicts social networking sites, like MySpace or Facebook, and mashups, in which data or media from various sources and with different coding styles, are combined, will be targeted by hackers for such attacks, due in large part to their ability to draw huge numbers of users—many of whom aren’t tech-savvy and are therefore vulnerable.

“Web 2.0 provides much richer functionality and enhances the end-user experience. This, however, is enabled by the ability of browsers to execute code in ways that is more sophisticated than older technologies,” Ahamad said. “[We] at GTISC feel that security needs to be strengthened for Web 2.0-based applications…security professionals [need] to be aware of the potential new threats that could come with Web 2.0.”

Targeted Messaging Attacks

Targeted messaging attacks will increase in sophistication, according to GTISC, with a focus on individuals and their personal information or access permissions, instead of corporate networks or other infrastructure. Such attacks will be perpetrated through e-mail, instant messaging (IM), peer-to-peer (P2P) networks and social networking communities, and they’ll be increasingly harder to detect as criminals derive more ways to dupe already-suspicious users.

For example, spammers will bypass traditional spam filters by disguising their messages as business communications with PDF or Excel file attachments that help to trick antispam services into thinking they’re legitimate.

Instant messaging applications will also increasingly be employed to trick users into visiting potentially dangerous sites or stealing personal data. At the end of an IM conversation between known coworkers or friends, a hacker could intervene and send off a final message with a malicious link to one or both of the participants that appeared to come from the other recognized party.

Botnets

Botnets, or networks of “zombie” computers that have been taken over by malicious servers, or “bot masters,” are nothing new. In fact, GTISC predicts that some 10 percent of computers connected to the Internet—that’s tens of millions of machines—are controlled by bot masters. However, such botnets will be used by hackers in new and dangerous ways over the coming year.

For instance, GTISC thinks botnets will be employed more and more often to aid fraudsters looking to steal information from individuals or organizations, instead of working to distribute spam and execute denial-of-service (DoS) attacks, as they have in the past.

Larger, more powerful botnets will be formed through P2P networks to circumvent traditional security safeguards like intrusion detection and prevention systems, according to GTISC. Due to the decentralized environment of such P2P networks, hackers could control botnets via multiple machines, helping cybercriminals get around current security safeguards.

Threats Targeting Mobile Convergence

As the number of people with Web-enabled cell phones and other devices rises, so does the potential gain from exploitation by hackers. GTISC predicts that threats in the form of voice spam and voice phishing will rise dramatically over the coming year, as well as DoS attacks on voice infrastructure.

GTISC also predicts that as mobile carriers offer more and more feature rich applications and services, the threats to the carrier networks increase because of potential security flaws in the new apps. A single hacker who discovers a significant flaw in an application could use a DoS attack to order millions of phones to, say, call 911 at the same time, bringing down the nation’s Enhanced 911 system, according to GTISC. An attack of this nature was perpetrated against NTT DeCoMo mobile customers in Japan in 2001.

“Security solutions for mobile devices are lagging [behind] what is available for desktops and other platforms. The awareness of vulnerabilities as they get publicized and the need for vigilance in this area will become increasingly important for CIOs and their organizations,” Ahamad said. “Enterprises have policies for dealing with information on laptops, and as powerful mobile devices with richer applications become common, such policies will have to address them as well.”

RFID Attacks

Radio frequency identification (RFID) technologies wirelessly read and transmit information between sensors with unique IDs at specific, preset frequencies. RFID is by no means new, but analysts and experts predict investments in RFID and related sensor network technologies will rise dramatically in the coming five years, according to GTISC. That means hackers will set their sights on RFID, in hopes of profiting from unsuspecting users.

Currently, various RFID protocols, frequencies and formats can be built into single RFID card readers and tokens, making the technology more accessible and cheaper to use for consumers. But this consolidation also makes it easier for hackers to exploit. The majority of existing security protocols for RFID are limited.

Organizations that employ RFID for access control could fall victim to any of the following exploits, according to GTISC:

• A specific user could be tracked via their RFID card, regardless of whether or not they were attempting access a company building.
• RFID identification numbers can be copied from access cards and distributed to outside parties to gain access to secure facilities.
• A perpetrator could purposely direct a large number of individual access requests, or ID numbers, to card readers to crash the building’s entry system—another form of DoS attack.

More information on GTISC or its emerging cyber threats report is available on the group’s website.