IBM released findings from the 2009 X-Force Mid-Year Trend and Risk Report. The X-Force report showed an extraordinary number of security threats across all facets of the web due to Web client, server and content threats coming together to produce an intolerable amount of risk to the IT community, corporations, governments and web users at-large.
What is going on? According to the report, the increase in the count of malicious web links has risen by 508%. A 508% increase in the first half of 2009 alone. It isn’t just the known web trouble spots such as adult rated content sites and Nigerian scammer e-mails, the malicious links have been found on trusted sites. The report lists trusted sites including popular search engines, forums, personal web sites, blogs, mainstream news sites and online magazines. In general, any website can be compromised. X-Force Director Kris Lamb on the state of the Web was quoted saying that: "There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We’ve reached a tipping point where every Web site should be viewed as suspicious and every user is at risk. The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity."
The 2009 Midyear X-Force report also finds that:
- Vulnerabilities have reached a plateau. There were 3,240 new vulnerabilities discovered in the first half of 2009, an eight percent decrease over the first half of 2008. The rate of vulnerability disclosures in the past few years appears to have reached a high plateau. In 2007, the vulnerability count dropped for the first time, but then in 2008 there was a new record high. The annual disclosure rate appears to be fluctuating between six and seven thousand new disclosures each year.
- PDF vulnerabilities have increased. Portable Document Format (PDF) vulnerabilities disclosed in the first half of 2009 already surpassed disclosures from all of 2008.
- Trojans account for more than half of all new malware. Continuingthe recent trend, in the first half of 2009, Trojans comprised 55percent of all new malware, a nine percent increase over the first halfof 2008. Information-stealing Trojans are the most prevalent malwarecategory.
- Phishing has decreased dramatically. Analystsbelieve that banking Trojans are taking the place of phishing attacksgeared toward financial targets. In the first half of 2009, 66 percentof phishing was targeted at the financial industry, down from 90percent in 2008. Online payment targets make up 31 percent of the share.
- URL spam is still number one, but image-based spam is making a comeback. Afternearing extinction in 2008, image-based spam made a comeback in thefirst half of 2009, yet it still makes up less than 10 percent of allspam.
- Nearly half of all vulnerabilities remain unpatched. Similarto the end of 2008, nearly half (49 percent) of all vulnerabilitiesdisclosed in the first half of 2009 had no vendor-supplied patch at theend of the period.
Lamb’s diagnosis of the health of the web is disconcerting and disheartening as we enter the age of cloud computing. Is cloud computing the answer? Many companies, including AMD, IBM Intel and Microsoft are investing heavily in cloud computing. On BSN*, we wrote stories on cloud computing ranging from Intel’s public effort to expand distributed computing to 250 million users to Microsoft creating a cloud computing application that brings smartphone capabilities to "stupid phones".
Rest assured, cloud computing is nothing new, only a new hopefully improved iteration of an age old concept- pooling resources to save money. In fact, cloud computing is reminiscent of the time-sharing models of 1960s mainframes. Bruce Schneier feels that cloud computing simply adds one more layer of trust – you must now trust your software companies. But consumers trust software companies already?don’t they? Consumers have to, to a degree. Bob Gellman states, "the nine most important words in cloud computing are: "terms of service," "location, location, location," and "provider, provider, provider." Schneier clarifies: "You need to make sure the terms of service you sign up to are ones you can live with. You need to make sure the location of the provider doesn’t subject you to any laws that you can’t live with. And you need to make sure your provider is someone you’re willing to work with. Basically, if you’re going to give someone else your data, you need to trust them."
Should – and more importantly, will – consumer and enterprises cozy up to the cloud? The X-Force report above speaks of dark predicament of cloud computing, because if the security situation is as bad as it is now, what would happen if these computer security threats would infect a cloud that serves several thousand or several million users? The computing power that would spread malicious software is just terrifying.
How rosy is the future of cloud computing amidst the dire forecasts of Web anarchy? Only time will tell but AMD’s Simon Solotko thinks the future is bright for cloud computing. In his blog, he touts the utility of cloud based advances. More recently in a July 29 blog article, Simon or rather, his muse Inez Drew, envisions the cloud coming home to the consumer. That’s right, your own personal cloud. I’m trying very hard to keep visions of Mick Jagger and the Rolling Stones’ "Get Off of My Cloud" out of my head right now?it’s my cloud, not yours. Go get your own. Oh wait, cloud computing is all about sharing. But in the current chaos of the Web, will we be sharing documents to boost productivity and memories with loved ones? Or will we be sharing our credit card numbers? As the X-Force report grimly points out – with the proliferation of criminals on the Web, who can you trust? Here’s to hoping that the cloud doesn’t burst with a nasty security-breaking needle.