Schwartz MSL Tangled Web

#AskForbes Twitter Chat Tackles Anonymous and Hacktivism Questions

Fri, 07 Jun 2013 13:37:41 -0500

On June 5th, the security PR pros at Schwartz MSL tuned in to a Twitter chat with Forbes Writer Parmy Olson as she fielded 30 minutes of questions about Anonymous and hacktivism from the @Forbes handle.

@Parmy, thanks for the great insights!

In case you missed the live chat, here is a rundown of the 10 questions people asked that we found to be the most interesting, along with the corresponding answers from Parmy.

Q: If there were a new social network dedicated to activism do you think it would attract the type of people who support anonymous?
A: Probably yes. Anon has been moving more towards activism and vigilantism lately, and supporters wear many hats.

Q: What do you think of all those #OP by Anon that are popping around?
A: The most recent Anon attacks have been smaller, more fragmented, and more 'vigilante' than trolling.

Q: What is the source of funding of hacktivists & Anonymous?
A: LulzSec took Bitcoin donations (prob worth a bunch now), but most ops don't need funding - IRC chats are cheap.

Q: Has Anonymous' account been ever hacked by someone?
A: Doxing is already rife in Anon. Feds also watch the Twitter accounts & yes, some get hacked: http://www.huffingtonpost.com/2013/05/31/anonymous-twitter-hacked_n_3366660.html.

Q: What do you think drives a group like Anonymous + would you say the effects are lasting and positive?
A: Many motivations: desire for notoriety, camaraderie, activism, a need to hack. Lasting effects lean toward positive.

Q: What if different hacktivists have different, opposing agendas? How do you reconcile that?
A: Often you can't, hence much discordance in Anon and unfinished ops. Some just want to troll, or hack or protest.

Q: Do you think a government agency will eventually try to shut down the #Anonymous movement?
A: Govs would like that but it's impossible - Anon's not a group but a fluid network. Supporters come and go.

Q: What is the primary driving forces of #Anonymous and #Hacktivists? How do #wikileaks become so visible to public?
A: 1. To have their voices heard, and it works. 2. Wikileaks struck a nerve by tackling the biggest institutions & secrets.

Q: Should the US hire members of Anonymous and others to fight cyberwars with China?
A: Could well happen one day - greyhat Hackers who've dabbled in Anon often move into cyber security anyway.

Q: Any guess what the typical profile of a hacktivist is? Age, education, etc... I'm fascinated by them.
A: I've seen a variety - men, women, kids, parents. The most impassioned are young men, often isolated or unemployed.

You can check out the full transcript of this Twitter chat on the Forbes website here.

Infosecurity PR Tips--in Less Than 150 Seconds

Tue, 09 Apr 2013 17:00:16 -0500

The Schwartz MSL digital team put me on camera to walk through the highlights of an eBook MSLGROUP recently published providing tips and tricks for Infosecurity PR. Infosecurity is the largest IT security show in Europe.

To download the free eBook from the MSLGROUP Technology Practice outlining tips for Infosecurity PR, click here.

Infographic: Infosecurity Thoughts

Thu, 28 Mar 2013 11:52:22 -0500

If you've read this far, you should download our eBook of tips/tricks for Infosecurity Europe PR. It also compares Infosecurity Europe to RSA Conference.

RSA Conference PR vs. Infosecurity Europe PR

Wed, 27 Mar 2013 10:06:19 -0500

We might both speak the same language (sort of), but certainly there are differences between Americans and our friends across the pond in Britain. I was in London last month and found it perplexing that they serve beans at breakfast, and pudding isn't a liquid. Then again, I am sure London natives are equally perplexed by American bad habits.

MSLGROUP represents IT security vendors around the world, and IT security pros often work hand-in-hand across Schwartz MSL and MSL London offices. This time of year, we collaborate even more frequently, given that two of the largest IT security trade shows on the planet are happening. RSA Conference 2013 was in San Francisco in late February (practically March), and Infosecurity Europe kicks off next month in London.

We wondered-- What are the differences between RSA Conference and Infosecurity? Are they the same from a PR perspective? Ahead of RSA Conference, the Schwartz MSL IT Security practice surveyed several IT security reporters in the U.S. to ask them about the show; recently MSLGROUP similarly surveyed U.K. reporters to get their thoughts on the Infosecurity event.

One glaring result of our research-- Key reporters are attending these conferences. Seventy-five percent of U.K. security reporters are planning to go to Infosecurity. While that's lower than the share of the U.S. security media contingent that attended RSA Conference, it's an impressive number, especially given all the talk of reduced travel budgets and remote working.

So what are the major differences between RSA Conference and Infosecurity? What are the similarities? And how should that affect planning for Infosecurity, given that show is about a month away?

MSLGROUP IT security pros pored through the results of the surveys and locked ourselves in a room to compare notes. The result is an eBook outlining Infosecurity PR best practices while reviewing how that show compares to RSA Conference from an IT security PR perspective. And the price is right for this eBook-- F-R-E-E. We invite you to download the eBook and share your feebdack.

Full Disclosure of Breaches? An IT Security PR Perspective

Wed, 06 Mar 2013 09:30:24 -0500

Just ahead of last week's RSA Conference, the New York Times reviewed a recent trend: More and more companies are telling the world that their computer systems have been compromised, even if those companies are under no obligation to do so. Just days earlier, the Times published its own mea culpa, admitting hackers penetrated the publication's systems. Nicole Perlroth penned both stories.

What is to make of the recent rise in self-effacement? From an IT security PR perspective, the crisis communications playbook rather quixotically proclaims that disclosing bad news is a good thing. PR pros are taught the virtures of telling the truth and "getting it out and getting it over with" when troubling news arises. It would appear such best practices are making their way into the thoughts of CIOs and CISOs faced with word of compromised systems.

[Note: While many state laws and other legal requirements dictate that companies disclose data breaches, there still are many circumstances when specific IT security incidents are out of the scope of these rules, such as if the data compromised was encrypted or did not contain personally identifiable information. Further note: I am not a lawyer, and questions regarding data breach notification requirements are best left to legal departments.]

The rationale for coming full circle with data breaches goes beyond nobility or ethics; it turns out most people appreciate brutal honesty. By taking the initiative to admit a breach and fix the problem, companies can end up benefitting from positive PR in the end.

Consider Heartland Payment Systems, a company discussed in the New York Times story. Heartland was at the center of one of the most infamous data breaches of all time, when it disclosed in early 2009 that its credit card processing systems had been inflitrated, potentially compromising card information for millions of people.

Heartland disclosed the breach, set up a website to communicate directly with interested parties, and then began discussing how it was addressing the news. Over the course of several months, Heartland announced relationships with companies providing innovative security technologies as a way to show its commitment to preventing any sort of breach in the future. It turned Heartland-- a company few even knew of before the breach-- into a security innovator.

While more and more companies are disclosing breaches, it still takes some time between when the breach is discovered and when the company announces it to the world. Some would argue that it is a bit of a disservice to the public to wait. I argue that PR disclosure at any point is much preferred to no disclosure at all.

Schwartz MSL IT Security PR Pros at RSA 2013

Tue, 05 Mar 2013 13:46:19 -0500

Roughly 40 Schwartz MSL staffers were involved in RSA Conference 2013 for our IT security practice. Above are a few that were able to take a break during the show for a team photo. From left to right: Nina Gill, Iris Herrera Whitney, Dara Sklar, Sam Katzen, Laura Finlayson, Ross Levanto, David Broughton, Bill Keeler, Nicole Solera, Dave Bowker, Dan O'Mahony. [Photo Credit: Bill Reber, Schwartz MSL Digital]

Cybersecurity Executive Order - Is This It?

Wed, 13 Feb 2013 11:38:56 -0500

Well, the White House issued the Cybersecurity Executive Order on Tuesday and many are wondering if that's it?

Here are a few key takeaways from the EO. It will be interesting to see the unclassified documents showing specific cyber threats already attempted on critical infrastructure sites. One year from today a final Cybersecurity Framework will be published per the EO.

Did you think there would be more or less sizzle in the EO?

Sec. 4. Cybersecurity Information Sharing. (a) It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats. Within 120 days of the date of this order, the Attorney General, the Secretary of Homeland Security (the "Secretary"), and the Director of National Intelligence shall each issue instructions consistent with their authorities and with the requirements of section 12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity. The instructions shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations.

Takeaway: By June 12 the government will share unclassified reports of attacks on specific critical infrastructure sites with the owners. This should be interesting if there is an alarmingly high volume and we find out bridges, water treatment plants, etc., are being heavily targeted.

Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. (a) The Secretary of Commerce shall direct the Director of the National Institute of Standards and Technology (the "Director") to lead the development of a framework to reduce cyber risks to critical infrastructure (the "Cybersecurity Framework"). The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.

Takeaway: By October 12, the government will release a draft of the framework. By February 12, 2014, the final Cybersecurity Framework will be published. With DHS Secretary Napolitano and other gov't officials openly discussing the imminent possibility of the Cyber 9-11 type event, the next 12 months could seem like an eternity for many owners of critical infrastructure sights. The timeframe is probably the most realistic it can be considering the type of input, planning and debating of the key issues that will have to take place.

Sec. 9. Identification of Critical Infrastructure at Greatest Risk. (a) Within 150 days of the date of this order, the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. In identifying critical infrastructure for this purpose, the Secretary shall use the consultative process established in section 6 of this order and draw upon the expertise of Sector-Specific Agencies. The Secretary shall apply consistent, objective criteria in identifying such critical infrastructure. The Secretary shall not identify any commercial information technology products or consumer information technology services under this section.

Takeaway: Technology vendors will not publicly be identified by the gov't as having commercial solutions to combat attacks against mission critical sites. By July 12 a list of critical infrastructure sights that, if hit, could be catastrophic to the safety and health of Americans, will be released. Expect the list to include:

Subways (NYC, Philadelphia, Boston and other large cities)
Trains: Amtrak operates more than 22,000 miles of track in 46 American states
Nuclear power plants (There are 65 commercially operating nuke plants within the US in 31 states with 104 nuclear reactors. The plants generate 20 percent of U.S. electricity)
Power plants: There are hundreds of other power plants in the US, including hydroelectric power, coal burning power, oil-fired power, geothermal power, natural gas power and wind farms
Federal Reserve: The central banking system for the U.S.

Sec. 12. General Provisions. (a) This order shall be implemented consistent with applicable law and subject to the availability of appropriations. Nothing in this order shall be construed to provide an agency with authority for regulating the security of critical infrastructure in addition to or to a greater extent than the authority the agency has under existing law. Nothing in this order shall be construed to alter or limit any authority or responsibility of an agency under existing law. This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Takeaway: Nothing in the final Critical Framework is enforceable by law.

Already Preparing for RSA Recovery

Fri, 08 Feb 2013 11:21:58 -0500

Each evening at RSA Conference features a full line-up of cocktail receptions, dinners and other private receptions. The business of the show carries on well into the night and often into the early morning. Recovery is an important concept.

The analysts at Securosis come to the rescue each year by hosting a recovery breakfast where attendees can grab a nice breakfast, drink coffee, and discuss the highlights of the show.

Schwartz MSL is sponsoring this year's breakfast, which is scheduled for Thursday of RSA week (February 28) from 8-11 a.m. at Jillian's Restaurant, which is adjacent to the Moscone Conference Center.

The Securosis event comes during the second half of the RSA Conference week. It's a week that the IT Security PR pros at Schwartz MSL know well. We've even put together an eBook to help security PR and security marketing teams as they get ready for the show. Click here to download your free copy.

For the PR pros, marketing peeps and execs at the RSA Conference, we invite you to stop by. If you are planning to attend, please RSVP by emailing rsvp (at) securosis (dot) com.

We're excited to hear the reason for Securosis's Rich Mogull's absence from this year's breakfast; He and his wife are expecting a baby!

Security PR: RSA Conference 2013 Reporter Insights

Mon, 04 Feb 2013 12:00:17 -0500

February's arrival means it's not long now until the IT security world descends on San Francisco in a whirlwind of networking, deal making, chotsky collecting and Moscone Center-induced sore feet.

Here at Schwartz MSL we have decades of experience guiding our clients down the right road when it comes to maximizing their strategic communications program before, during and after RSA Conference. Connecting security company executives and researchers with top reporters for in-person meetings during the show is a key component.

As you can imagine at the industry’s marquee event, competition is fierce for face time with reporters. What does it take to land media meetings? To find out, Schwartz MSL surveyed 50 of the top information security journalists. Here is a sneak peek at the findings:

For more tips and tricks to maximize PR and marketing opportunities around RSA Conference, download the new Schwartz MSL eBook, “Road to RSA Conference 2013”. Contact us with questions or for assistance.

Good luck and have a great show!

Road to RSA eBook Available Now

Fri, 01 Feb 2013 12:27:48 -0500

The RSA Conference 2013 is just around the corner and there is nothing more important for most companies than connecting with new prospects and re-connecting with current partners and customers. It is a place to get reacquainted with old friends and colleagues but also meet new people in order to hear their take on identifying and mitigating myriad IT Security network and mobile device threats.

Often times, companies are looking for advice and tips on how to best maximize their time during the week at RSA. When it comes to public relations and media relations, there are more than 100 respected journalists usually on site, in addition to dozens of industry analysts. Schwartz MSL is helping their existing clients and can help other companies wade through the choppy waters of media relations. The Road to RSA eBook is chock full of information on what reporters are interested in covering at the show and where they prefer taking interviews. In addition, we included the names and Twitter handles of the most influential reporters so you can follow them at the show

We're here to help so let us know if you have any questions. Enjoy!

2013 IT Security Predictions from Cloudmark

Thu, 20 Dec 2012 15:30:47 -0500

Today’s Tangled Web posting comes from Neil Cook, CTO for Cloudmark. Cook shares his security trends for 2013.

The prevalence of smartphones and continuing rollout of Long Term Evolution, a widely adopted standard for wireless communication of high-speed data for mobile phones and data terminals, will help create optimal conditions for spam-sending botnets.

We’ve already witnessed examples of self-propagating malware on Androids emerge. In the past week, our research lab has been closely following an Android Trojan, dubbed SpamSoldier, which is infecting Android phones causing them to send out spam and invitations to download the infected apps. While this malware is currently not nearly as sophisticated at PC botnets, we anticipate a dramatic increase in such types of attacks, and so early-stage botnets like SpamSoldier are a harbinger of worse things to come in 2013.

In the coming year, we anticipate outbound spam will be a major issue for consumers and wireless carriers. Hacked accounts have been an increasing trend in outbound abuse and this situation will only continue to worsen. Often, consumers won’t know that their phone or PC has been infected with malware sending out suspicious messages and infecting other devices. Such attacks are harder to combat – unlike spam perpetuated through a specific number or IP address, infected phones and PCs cannot always be remotely disabled or blocked.

Mobile message phishing and smishing attacks will also become more sophisticated as cyber criminals increasingly realize the effectiveness of mobile messaging as an avenue to spread spam and infect phones. SMS is rapidly overtaking email as an effective mode of communication, with consumers opening more than 97 percent of all SMS messages received. More cyber criminals are already beginning to realize the enormous potential mobile messaging presents for attacks and spam campaigns.

Another target for spammers will be over-the-top messaging providers such as WhatsApp. We anticipate that hacked/ fake OTT messaging accounts will be used to spread fraudulent scams against subscribers.

Finally, cyber criminals will set their sights on personal data acquired through social engineering and deceptive tactics via social media, email and messaging channels. These campaigns will target individuals with offers of free gifts, gift certificates and giveaways as well as surveys. The overall objective is to lure unsuspecting individuals into revealing confidential information that can be further used to perpetuate other scams and spam campaigns. We predict social engineering attacks like these will be some of the biggest threats to personal data privacy in 2013.

Security Predictions for 2013 from Cenzic

Thu, 20 Dec 2012 07:22:19 -0500

The next in our series of 2013 predictions posts comes from Campbell, California. Read on to see what Cenzic Chief Marketing Officer Bala Venkat has to say about IT security trends in the New Year.

As the year 2012 comes to a close, it is quite clear that mobile and Web based applications will continue to gain popularity in 2013. While it makes perfect business sense for organizations to embrace these technologies, they also need to make sure that they invest enough resources to safeguard these applications against potential breaches.

The lines between web, cloud and mobile are blurring. The growth in the data and the applications across enterprises is staggering. Over 95% of the breaches happen at the application layer because hackers know that’s where the important information resides. As the threat vectors evolve, we’ll see increasing number of attacks targeting data stored on a server or a web application, via web services.

With organizations adopting more SaaS based services, they are losing control of the infrastructure, coding standards and security of these applications. Also, with fewer IT resources to maintain the IT and application systems, they are relying on the data center operator or service provider to protect their data. However, the problem with mobile applications is still the same that enterprise applications have, because all mobile applications use a web or a web services application as their back end. If that is not secured, a hacker might go into the mobile device and try and pinpoint the maximum mobile users, or go and attack a mobile application to get data specifically from a targeted individual or a targeted group of individuals. The issue is that targeting individuals is the primary cause for mobile attacks, or to get that information off of mobile phones. It’s easier for a hacker to just download an application, jail break a device and find out what services are being used by that application and basically get the keys to all the information. These types of attacks will continue to rise in 2013.

Trends for 2013: Astounding Growth of Mobile Malware

Wed, 19 Dec 2012 07:30:03 -0500

Today’s Tangled Web posting comes from Sebastian Bortnik, education & research manager for ESET Latin America. Bortnik shares his security trends for 2013.

In 2012 the number of unique detections of malware for Android increased globally by a factor of 17X (yes, that is 1,700%), and we expect the increase in 2013 to be even greater. This is one of the main predictions in the white paper we are releasing today: "Trends for 2013: astounding growth of mobile malware" (PDF).

As our regular readers know, near the end of the year the research teams at ESET discuss the malware and cybercrime trends they think will be important in the next 12 months. The Latin America team first took the step of publishing the results of that discussion in a paper seven years ago. Three years ago it was decided to share that information in English here on ESET's worldwide blog. Among the predictions that can be found in the document we publish today is that malware for smartphones will once again experience rapid growth in 2013.

In reaching this conclusion, we analyzed what has happened with malware for mobile platforms over the last 12 months, seeing that its growth has been even greater than we had imagined at the end of 2011. In the paper you can find more detailed information about that growth together with analysis of data we have collected. Although the number of different families for malware for Android has not increased much, if we look at the number of variants, we do see serious growth. A variant is a modified version of a specific and known malicious program. Cybercriminals modify the structure and the code of an existing threat to create a new one with the aim of adding new malicious functions and evading detection by antivirus programs. The graphic below shows four leading malware families for Android and the number of variants that appeared in 2011 and 2012:

As you can see, the increase in variants within some families of Android malware is very dramatic. This drove the annual growth rate in detections of Android malware in 2012 as to 78X in Ukraine, 65X in Russia, and 48X in Iran.

So what does this malware do to smartphones? Basically we can divide the threats into three groups: information theft; botnets; and SMS Trojans. Our research indicates that SMS Trojans represent 40% of all Android malware at the moment. After infecting the phone, SMS Trojans start sending messages to premium SMS numbers that have an additional cost to the user, which is, of course, profit for the attacker. Although they have been more popular in Eastern Europe, in recent years SMS Trojans have been expanding throughout the world, like the Android/Boxer variant affecting 63 countries in the world, about which we published a white paper a few days ago.

In the paper we publish today you will also find information about additional trends that will be important in the next year, such as the spread of malware via infected websites, among others. Feel free to download and share: "Trends for 2013: astounding growth of mobile malware." We hope you find it helpful in planning your strategy for a safe and secure 2013.

2013 IT Security Predictions from BlueCoat

Tue, 18 Dec 2012 07:16:50 -0500

Tuesday’s Tangled Web posting comes from Chris Larsen, BlueCoat’s Malware Research Team Leader. Read on to see what Larsen has to say about IT security trends in 2013.

Chris Larsen, Malware Research Team Leader of BlueCoat

Mass Market Attacks Become a Beachhead for Targeted Attacks

If your organization has valuable data, assume someone is going to come after it in 2013 through mass market attacks that provide cover for targeted attacks.

Businesses today manage so many end points that at any given time tens to hundreds of them may be infected, typically with mass market malware. While not the ideal security situation, businesses nonetheless tend to tolerate this level of mass market malware infections. In 2013, this tolerance level will create a backdoor for covert targeted attacks.

The thriving underground economy connects cybercriminals that are running bots with motivated attackers that are willing to pay top dollar to use the system of infected computers. This allows cybercriminals that are targeting a specific company to rent out or buy outright infected machines within a target IP range. As the size of a company increases, the certainty that a cybercriminal can find an infected system to co-opt rises exponentially. In this way, what was an infection from a mass market attack can covertly become a targeted attack.

Facilitating this shift will be the addition of intelligence gathering tools to standard Trojans that actively explore a hard drive rather than wait for a user to go to financial site.

Mobile Mischiefware Gives Way to Mobile Malware

With more businesses allowing employees to access the corporate network from mobile devices, expect these devices to become high value targets in 2013. Today, the smartphone penetration game is characterized by “mischiefware,” such as sending SMS texts or in-app purchases within rogue applications, that operates within the parameters of an app and does not break the phone’s security model. In 2013, expect to see malware that doesn’t show up as an app on the smartphone, but instead exploits the security of the device itself to identify valuable information and send it to a server. Hand-in-hand with this new mobile malware threat, expect to see the first mobile botnet that can forward SMS messages to command and control servers.

Malnets: If It Isn’t Broken, Don’t Fix It

In 2013, expect that most malware will come from large malnets that operate “malware as a business model.” These infrastructures are highly efficient at launching attacks and highly effective at infecting users. As a result, malnet operators have built a thriving business. Their continued success at infecting computers indicates that they don't need a revolutionary breakthrough to continue making money, just on-going evolutionary adjustments.

In 2013, expect them to refine their models and invest in the business to develop more sophisticated, believable attacks. By hiring translators and copy editors, malnet operators will be able to better create phishing emails that mimic the real page of a financial institution, for instance. They can also invest in more believable web sites facades and more comprehensive exploit kits that will make their attacks more believable, increasing the likelihood of their success.

The Big Data Model Comes to Threat Intelligence

Expect the security industry to adapt the big data model to understand more about potential vulnerabilities at a network and user level. Security and networking solutions all generate logs – significant amounts of information that tells you about user behaviors, traffic on the network and more. Mining this data to find discernible patterns in risky behavior, threats and anomalies on the network as well as correlations between behavior and risk will allow the industry to build new defenses that can help users make safer default choices.

Sharing Generation Becomes More Private

The wide availability of information exposed users to very personal targeted attacks that reference family members, pets and other personal information in an attempt to gain access to confidential information. This ready availability of user information also allows cybercriminals to waterhole users by more easily identifying the online places they visit and laying booby traps. As a result of this greater risk, in 2013, users that have operated from a share everything model will begin to limit how much and what information they share and who they share it with.

Securing the Business in 2013

The threat landscape will continue to evolve as cybercriminals adjust and refocus their attacks. In particular, as mass market and targeted threats converge, it will be important for businesses to take a holistic view of their security. No longer should mass market and targeted attacks be viewed as separate threats. They have now become one and the same.

To protect their data and users, businesses should focus their defenses on visibility for all traffic, including web, non-web and even SSL. Each defensive solution logs traffic. Reviewing those logs on a regular basis to identify anomalies is crucial to stopping attacks. Businesses also need to understand who is supposed to be using data and how it is supposed to be accessed.

In response to the shifting threat landscape, businesses will need to adjust their security approach to ensure they are not the victims in 2013.

Five Cybercrime Trends Likely to Continue into 2013

Mon, 17 Dec 2012 07:13:58 -0500

Up next in our security predictions series is from Salt Lake City, Utah. Read on to see what Solera Networks Director of Threat Research, Andrew Brandt has to say about IT security trends in 2013.

2012 has been a challenging year for incident responders and security analysts. Ne’er-do-wells of the Internet have been flooding our inboxes with malicious spam; scattering exploit kits around the ‘net; and spreading malware to, and from, the four corners of the Earth. With the context of what’s happened in the past year in mind, we once again dusted off the crystal ball to deliver a short list of predictions of what we can expect over the coming 12 months. In no particular order, they are…

More Attacks Staged Through Compromised Websites

Attacks delivering malware rapidly earn the Web domain hosting the attack, or its IP address, a bad reputation. This kind of activity also doesn’t remain under the radar for long. Once the really big reputation services, like Google SafeBrowsing, flag a domain as a source of malicious stuff, browsers that hook into that information (such as Firefox) throw dire warnings in the face of visitors, cautioning them away from the site delivering an infection.

Ending up on one of those reputation filters is like a death sentence to a malware campaign. So one way that malware distributors try to stretch out the amount of time an attack URL will remain viable is to abuse someone else’s website — preferably, one with a good reputation, but almost any will do. Malware distributors use links to pages hosted on these legitimate websites to bounce computers destined for infection to another site delivering the infectious code.

Because the compromised, legitimate site merely redirects the traffic elsewhere and doesn’t deliver the actual infection, the domain doesn’t (reputationally, at least) self-destruct as rapidly as a freshly-minted domain with no behavioral history to speak of otherwise would. As a result, this has become the preferred first stage for broadly distributed, spam-driven attacks. With a virtually unlimited supply of potential victim-Web-sites, it’s hard to imagine this problem getting any better before it gets worse.

If you own or operate a Web site, you can take steps now to protect yourself. Credential compromise usually comes down to one of three methods: password-stealing malware swipes saved FTP credentials or sniffs them as they’re typed in by the user; unpatched or no-fix-available vulnerabilities in commercial web hosting, blog, and CMS software leaves passwords in plain text or easily crackable; or phishing.

If you regularly upload files to a website or manage it through a CMS, you’re in the crosshairs. Using a non-Windows computer as a Web site management box will prevent the most common Windows-based password-stealing malware from functioning. If you use a popular, free CMS like WordPress.org or Joomla, make sure that not only are you running the latest version of the CMS software itself, but also that you’ve updated any third-party plugins or add-ons, and that you’ve removed all components of ones you don’t need — silly things like photo gallery plugins can cause big headaches if someone discovers that the plugin, for example, stores its credentials in plaintext in a standard location.

Increased Use of Blended/Multi-Stage Threats

Solera Networks has observed an increased use of “self-perpetuating” email worm modules by botnet malware, and predicts that the use of this model will expand in 2013.

The malware, spread by front-line downloader Trojans such as Kuluoz or Cridex, most often appears on infected machines as a second stage payload. The spam relayer component then leverages the infected machines to perpetuates the infectious links or attachments via spam email messages; The screenshot above shows a frequency-distribution analysis of the most frequently used Subject: lines used by one such Trojan, which last week sent 685 spam email messages from a single infected testbed within a 25 minute timespan.

On an infected system, it can be next to impossible to detect that the spam relayer is operational without using specialized tools. Like many botnet Trojans, the malware hooks itself to legitimate Windows processes, such as svchost.exe, and runs from within the legitimate program’s memory space. A casual observer looking at Process Explorer or Task Manager would see a totally ordinary, predictable list of running processes.

One might be able to infer its presence if the computer becomes less responsive, but you’d have to have Rain Man skills to detect the performance hit in this age of multi-core desktops and speedy broadband network connections. Trickling out 500 messages at a time, over a prolonged period, periodically pausing, wouldn’t even register at an ISP unless and until spam filtering services began adding your computer’s IP address to their “source of spam” lists. Even then, not all ISPs notice or care.

Both businesses and ISPs can restrict the use of unauthenticated SMTP on their networks, but that tends to interfere with the users of uninfected computers; At the very least, businesses should watch for spikes in the email traffic volume of individual non-mail-server computers on their networks as an indication that malware is acting as a postman spewing letter bombs.

For now, those letter bombs are actually highly prone to being duds. Check out the broken anchor tag in the screenshot of one of these relayed spams. As a result of the hrefttp in the HTML source of the message, the malicious links a victim would have to click in order to infect his or her computer don’t actually work. D’oh! We saw the Trojan spam out thousands of these broken messages. D’oh squared! If past performance is any indication, they won’t stay that way for long. I expect they’ll discover, and fix, this temporary problem in the near future. But seriously, that’s pretty dumb.

The Resurgence of the Zero-day Vulnerability

Despite increased efforts by OS vendors to shore up their systems and increased efforts by attackers to expand to other targets, such as Adobe Flash or PDF, work to discover new vulnerabilities goes on, with greater automation thanks to a plethora of fuzzing and memory analysis tools. With a brand-new version of Windows on the market, it seems like a safe bet that one or more zero-day threats will strike in the coming year, but even without Windows 8, nothing seems safe — not even tools used by security professionals. Don’t get cocky and watch your back, Red Team.

Hacktivism: DDOS on the Rise

While some identifiable members of the hacktivist community were arrested or convicted in the past year, the movement as a whole remains viable. Next year, we will likely see an increase in hacktivist attacks. In some cases, the growing availability of tools for conducting DDoS attacks may contribute to the frequency of their use.

We may also see attacks by hacktivists involving “intentional misattribution,” in which the attackers try to make it look like attacks originate elsewhere in order to taint the reputation of the misattributed host or its owner.

Lateral Attacks: The Rediscovery of the RAT

Based on trends observed in recent months, Solera Networks predicts an increase in the use of remote access trojan (RAT) malware as a drive-by download deliverable. Unlike botnet malware, in which a single operator can send commands to huge botnets all at once, RATs (such as Andromeda) require more active, personal involvement on the part of the attacker.

But just because the attack doesn’t involve botnet-style automation, it doesn’t mean its actions are benign or any less threatening. An attacker in control of an Andromeda-infected computer can leverage that machine to gain a foothold inside a network and determine what other machines or valuable information resources can be accessed. Bespoke RATs can be harder for conventional antivirus tools to detect than broadly available botnet malware, as fewer examples exist from which antivirus software companies can build detection signatures.

Malware distributors know that botnets and RATs specialize in performing different tasks, and they use both to their advantage. Don’t underestimate the threat level of either type of malware.