Feds Wrestle With Security Threats

WASHINGTON -- BLACK HAT DC 2008 -- Hackers are getting more creative and avaricious, and enterprises and government agencies are struggling to keep up, current and former officials said here today.

In a frank assessment of the current state of security in the U.S., two keynote speakers said security professionals are fighting an uphill struggle to defend against an increasingly broad array of threats from cyber criminals..

"Today's hackers are increasingly motivated and persistent, and they're using technologies and practices that are becoming more sophisticated all the time," said Jerry Dixon, director of analysis for the Team Cymru research organization and former executive director of the National Cyber Security Division and US-CERT.

In a recent study, Team Cymru ran 1,066 pieces of current malware against 32 antivirus packages. The AV products detected only 37 percent of the malware. "A lot of people still think that because they have AV tools in place, they must be safe," Dixon said. "We have to help them understand that that's not the case."

Team Cymru has detected some 3.6 million command and control relations on the Web, which suggests a huge growth in botnet traffic, Dixon said. "And that's just what we know about," he says. "With increasing use of P2P and encryption, botnets are becoming very difficult to detect."

Enterprises need to do more to protect themselves against these growing threats, Dixon said. "We're still seeing that most organizations don't know where their data resides and who they're sharing it with." Some companies have not upgraded their router infrastructures for six or seven years, he notes, rendering them too old to take advantage of current security upgrades.

While Dixon offered the long view of Internet security threats, Internal Revenue Service security expert Andrew Frieh offered a look at some of the specific attacks, particularly phishing exploits, that target the U.S. tax service.

"We saw the first IRS phishing site in 2003, and there was only one in 2004," said Frieh, whose official title is Treasury inspector general for tax administration. "Currently, there are more than 1,600 of them."

The IRS is seeing a wide range of attacks that have evolved from these early phishing efforts, Frieh said. In some cases, phishers pretend to be IRS investigators and demand users' personal information. In other cases, the user is presented with an online form that offers a tax refund that can be deposited directly to that user's debit account.

"We'll likely see more of this as we prepare to issue tax relief in the second week of May," Frieh said.

Some phishers have expanded their IRS-related exploits to include "vishing" attacks that encourage users to give up personal information over the phone, Frieh said. The agency even has seen traditional 419 scams that ask the user to send money to a Gmail account, he said.

Most of the exploits emanate from eastern Europe, and the perpetrators generally are happy with even a very low threshold of success, Frieh said. "When you think about where some of these people live, they don't need to make hundreds of thousands of dollars to do well," he observed.

The government is making an effort to stop the growth of these attacks, and it has succeeded in shutting down a number of phishing sites, Frieh said. "But it's like playing a gigantic game of whack-a-mole," he says. "Once we shut down a site, another one pops up in its place."

The IRS also is making a conscious effort to expose vulnerabilities among taxpayers, Frieh said. Many hackers are moving away from direct attacks on Websites and seeking to install keyloggers and other malware, he observed. "Pretty soon there won't be a need for phishing sites," he said. "It'll all be done through keyloggers."

The agency is also taking a close look at P2P vulnerabilities, Frieh said. "Every year we do a P2P scan to see what we can find," he said. "You'd be surprised now many tax returns we can find with a simple scan."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.