July 29, 2008

Study Shows Hackers Are Getting Faster And Savvier

New research shows that Internet hackers are narrowing the time frame they need to unleash computer attacks that take advantage of publicly disclosed security holes.

Many sites are being compromised within 24 hours after a vulnerability is disclosed. IBM Corp.'s latest Internet Security Systems X-Force report said security flaws are being exploited in Web browsers, computer operating systems and other programs before many people even have had time to learn there's a problem.

Released on Tuesday, the report looked at the first six months of 2008 and reflects two growing trends in Internet-based threats.

One being that online criminals have latched on in a big way to programs that help them automatically generate attacks based on publicly available information about vulnerabilities. In the past they apparently spent more time finding such holes themselves, but no longer find that as necessary.

Kris Lamb, operations manager for X-Force said the bad guys are not the ones actively finding vulnerabilities.

"They've shifted their business to standing on the shoulders of the security research community. They don't have to do the hard work anymore. Their job is packaging what's been provided to them."

The second trend is that the debate among security researchers is intensifying over how much information should be released to the public when a new software flaw is discovered.

Researchers typically wait until the affected company has released a software patch before revealing details. But sometimes researchers will release not only details of the vulnerability but also so-called "proof-of-concept" exploit code to show the flaw is legitimate.

That runs the risk of providing criminals a framework for building their attacks, and saves them valuable time in doing so. Lamb said this finding "begs the question" of what the security industry's standard practice should be.

However, some researchers say the practice of supplying exploit code is necessary. They say it's a powerful tool to pressure companies into creating patches and users into applying them, and also helps technicians study how the attacks work and prevent against them in the future.

The tools criminals use to generate their attacks - known as exploit code - are appearing online faster than before, according to the IBM report.

The time from vulnerability disclosure to the availability of exploit code or a working attack has typically been measured in days or even weeks as criminals try to get their arms around a newly discovered weakness, but the gap is continuing to shrink.

IBM's report said that in Web browsers - an area heavily targeted by hackers - hacking exploits were available within a day after flaws were discovered 94 percent of the time, up from 79 percent in 2007.

The report added that for all PC vulnerabilities, over 80 percent of the exploit code was released the same day - or even before - the holes were publicly disclosed"”up from 70 percent last year.

If researchers have discussed the flaw without providing specifics, exploit codes can surface even before a vulnerability is made public.

Such a tactic allows them to attach their names to high-profile vulnerabilities they've discovered, while giving companies time to create patches. The downside is other researchers can often work backward from the public comments and create their own exploit code.

Spammers are also changing up their tactics, the report said. The number of spam messages continues to rise.

Spammers are now ditching the pictures and complicated messages they would include in their junk e-mail and opting instead for simple messages and a sole Web link to evade spam filters and redirect users to sites under their control.