The focus of this paper is to identify dominant trends of
information security threats to the Internet 2001 to 2007. This
paper is intended to provide an understanding of the new
emphasis of attacks through use of robotic networks and how
some users and organizations are already preparing a response
using innovative visualization techniques in conjunction with
traditional methods. The scope of research will focus on basic
enterprise level services that are commonly provided by various
corporations; e.g., e-mail, browser applications, wireless and
mobile devices, IP telephony, and online banking. The research
will first review the network infrastructure common to most
corporate organizations and assume basic enterprise components
and functionality in response to the current security threats. The
second emphasis will consider the impact of malware robotic
networks (Botnets and Puppetnets) on the corporate network
infrastructure and how to address these threats with new and
innovative techniques. This approach is pragmatic in application
and focuses on assimilation of existing data to present a
functional rationale of attacks to anticipate and prepare for this
coming year.
Axa Assurance Maroc - Insurer Innovation Award 2024
Puppetnets and Botnets: Information Technology Vulnerability Exploits
1. Puppetnets and Botnets: Information Technology Vulnerability
Exploits that Threaten Basic Internet Use
Erwin Louis Carrow
University System of Georgia
Board of Regents
270 Washington Str. S.W.
Atlanta, Georgia 30334 USA
404-657-9890
erwin.carrow@usg.edu
email service, website hosting, Internet web browsing, and
Abstract
connectivity through both wired and wireless access points.
The focus of this paper is to identify dominant trends of Additional services include, depending upon the complexity of
information security threats to the Internet 2001 to 2007. This the network, Domain Name Service (DNS), Intrusion Detection
paper is intended to provide an understanding of the new Service (IDS), Intrusion Prevention service (IPS), Firewall for
emphasis of attacks through use of robotic networks and how network perimeter security, and some type of Domain X500
some users and organizations are already preparing a response Directory service for user level access control. The vector for
using innovative visualization techniques in conjunction with hacker exploitation has not dramatically changed over past years,
traditional methods. The scope of research will focus on basic but the vehicle for implementation of the attack has become
enterprise level services that are commonly provided by various increasingly automated and subversive under the guise of robotic
corporations; e.g., e-mail, browser applications, wireless and attacks. These attacks are often made using unknowingly
mobile devices, IP telephony, and online banking. The research compromised users’ personal computers or corporate resources
will first review the network infrastructure common to most employed for malicious internet attacks through ordinary web
corporate organizations and assume basic enterprise components browser code or in underlying background processes through
and functionality in response to the current security threats. The some remote control access. These infected systems act as
second emphasis will consider the impact of malware robotic conduits for malevolent attacks redirected against individual
networks (Botnets and Puppetnets) on the corporate network users, websites, or network domains. Once a hacker or organized
infrastructure and how to address these threats with new and crime element has gained control of an extensive array of these
innovative techniques. This approach is pragmatic in application computer devices, they can then be used as an army of resources
and focuses on assimilation of existing data to present a to launch single or multiple attacks against an Internet objective.
functional rationale of attacks to anticipate and prepare for this These networks of hacker control systems are commonly referred
coming year. to as Zombies, Botnets, and in lesser degree, Puppetnets. With
the introduction of new technology, older exploits are being
General Terms retooled for the new infrastructure communications capabilities
which include: IP telephony integration, wireless and mobile
Management, Measurement, Documentation, Performance,
devices, video, and storage area networks. Currently the
Design, Security, Human Factors, Theory, Verification.
application of technology exploitation is fertile and seemingly
limits-less due to the ever-growing avenues of technological
Keywords advances. This explosive growth of the internet has challenged
effective network infrastructure administration, and more
Botnets, Puppetnets, Black holes, Honeypots, Honeynets,
importantly, the ability of security for tools and processes to
Honeymoles, Security Threat Gateway (STG), user space
mitigate malicious exploitation of ordinary users. This paper will
summarize common exploits in current use, and propose methods
1. INTRODUCTION in how to identify the basic tactics and respond in a timely
manner.
Current trends in Information Technology Security exploits
have progressively placed more emphasis on targeting common
2. TRENDS AND CURRENT STATE OF
services used to support users and corporate entities. The most
common services for corporate entities and home users consist of
VULNERABILITY
The use of automated attacks has become so serious that
Permission to make digital or hard copies of all or part of this work for
many are questioning the security of Internet use for online
personal or classroom use is granted without fee provided that copies are
banking, email, or even simple web browsing. In December of
not made or distributed for profit or commercial advantage and that
2006 the Microsoft Corporation announced their concerns over
copies bear this notice and the full citation on the first page. To copy
Botnets, Zero-day exploits, Trojans, and Rootkits infected
otherwise, or republish, to post on servers or to redistribute to lists,
computers. Starting in January 2007 Microsoft has organized
requires prior specific permission and/or a fee.
Information Security Curriculum Development Conference’07, several closed doors meetings with a broad cross section of
September 28-29, 2007, Kennesaw, Georgia, USA.
Copyright 2007 ACM 978-1-59593-909-8/00/0007…$5.00.
85
2. With all the publicity over hacker phishing and pharming
security experts to strategize a response to the growing security
and the years of investments corporations have made in educating
concerns. Microsoft’s motivation stems from their own statistical
users, one would think these social engineering exploits should
figures exemplifying that “half of the four million malware
now be ineffective. Because the naïve users are often exploited
infected systems detected in the second half of 2006 … were
through perceived trusted relationships or an organizationally safe
under the control of Botnets of one kind or another.” Similarly,
environment, basic social engineering within a personal or
the Symantec Corporation identified 4.5 million computers in the
corporate setting is still being successfully implemented.
first half of 2006 which were infected with robotic malware [4, 6].
Organizations still need to provide practical steps to improve
Microsoft’s concern and response can clearly be seen in the
existing policies and train users in how to respond or more often
simple use and function of their new Vista operating system
how not to respond to such exploits [16]. The sophistication of
which closely monitors all user activities and delivers immediate
implementation for these attacks has many recognizing that
feedback if an unexpected or unsecured operation is attempted.
organized crime is investing more effort in concealing their tracks
The underlining threat identified in these meetings is that these
by using unsuspected users’ systems. Various experts are
Botnets were not isolated autonomous entities, but tightly
predicting that criminal organizations will cause unprecedented
controlled and organized networks. The consensus is that this
losses in 2007 targeting “corporate and consumer defenses”
army of zombie computers are being controlled and used for
through use of zombie computers organized into Botnets. These
various applications by organized crime.
Botnets enable spyware, spam, spim, phishing attacks, and DDOS
As a part of a survey taken in 2005 of over 1400
attacks resulting in billions of dollars in lost revenue from theft,
corporations ranging from finance to manufacturing; over 1240
extortion, or productivity [17] [27]. With this level of
were banks located in the United States reported that, 59% were
sophistication comes a new level of challenges for system
increasing their IT security investment in privacy and transaction
administrators in SMB corporate network environments and the
processing, 70% were increasing security software, and 80% had
already adopted vital security intrusion Comparison of Malware Security Trends from 2001 to 2007
detection and prevention infrastructure
Type of
Author / Title Number of contributors Year of
[5]. This emphasis is not expected to
comparis
publication / publicatio
change for 2007 where the number one
on
corporation n
and two items for technological trends
for expansion and development in the Gibson, Spyware was Single Contributor, 2005 Moderate
Small Medium Businesses (SMB) Steve Inevitable academic peer reviewed overview
market are security and storage area
SCMagazine IT security reboot Staff Reviewed 2006 Detailed
networks. It is expected that the SMB
Staff 2006: The year's overview
spending will exceed large businesses
top news
expenditures [3]. Banking industry’s
motivation for leading the way in 2003 Detailed
Keizer, Gartner outlines One contributor and
security implementation is very clear; overview
Gregg top enterprise professionally peer
they must protect the interest of their security threats for reviewed
clients. 2003
Consumers now alerted to the Maguire, Top Ten 2007 One contributor used 2006 Moderate
significance and capability of Internet James Security Problems: Corporate feedback for overview
deception are requesting more stringent Predictions statistical review
constraints to safeguard their online
SANS Staff SANS top-20 Significant number of 2006 Very
transaction processing. A recent online
Internet security contributors from the detailed
survey commissioned by RSA Security
professional community
Inc. in Bedford Massachusetts stated
and academic peer review
52% “are ‘somewhat’ or ‘very much’
Schneier, Attack trends 2004 Single Contributor, 2005 Moderate
less likely to sign up for or continue to
Bruce, and 2005 academic peer reviewed overview
use online services from their banks”
due to the dominating deceptive SANS Staff The Top 10 Most Significant number of 2001 Very
phishing trends. This is an increase of detailed
Critical Internet contributors from the
39% from the 2005 survey and 49% Security Threats professional community
from the 2004 survey. The survey and academic peer review
indicated 82% of the respondents were
Interview via a podcast 2007 Limited,
SOPHOS Threat analyses:
“somewhat” or “very much less likely”
broadcast with technical applicatio
Staff These analyses
to respond to e-mail messages from their
security expert n
describe some of
banks and 5% had actually revealed
primarily
the more common
sensitive information due to phishing
focused
or interesting
[22]. Clearly from consumer feedback,
upon IBot
threats and
the common user is overwhelmed by the
activity
applications.
level of fraud that dominates the
Internet. ordinary home user. No longer is it just the larger corporate
entity that is at risk, but even more commonly, the Internet user.
86
3. Table 1. Resource Listing for Comparative Analysis of
Trends
3. RECOGNITION OF THE CHALLENGES
FOR INTERNET SECURITY
Through a comparative analysis of security exploits and
trends from various resources, there is relatively little difference
between the exploits used today as compared to 2001. Table 1
highlights the research and analysis of exploits from 2001 to the
present from various contributors. The research incorporates a
broad cross section of organizations with insight and contribution
ranging from individuals to large peer-rated committees. There
have been new innovations, but the basic hacking attack process Figure 1. Sample code for Puppetnet DDoS attack [12]
has remained the same but with a greater emphasis on the
Unlike Botnets, a Puppetnet’s level of control is limited and
deployment vehicle – Puppets and IBots. These contributors also
the infection difficult to detect since the systems themselves are
exemplify how organized crime is playing a significance role in
not actively infected and activities are limited to the browser
their use and application of these exploits. New technology has
memory space (sample code is shown in figure 1), where code is
afforded more flexibility and freedom since Botnets and
piggyback over normal HTTP traffic exchange. The exploit
Puppetnets have allowed the attacker to maintain their autonomy
limits its activity to the TCP/IP protocol stack application layer
and anonymity. Though progress has been made, there are very
spawning background session processes through the guise of the
few advances in trace-back techniques to clearly identify the
browser, never infecting the local host operating system (figure
sources of most attacks using TCP and even fewer with UDP due
2). Therefore, little detection is available from traditional
to the connectionless characteristics of the protocol [24]. Even
malware detection tools. Since the threat is not localized and
more significant is the lack of substantial government
interacting with the operating systems’ core processes, the user
involvement to safeguard individual users from loss. The Federal
remains unaware their machine is being used to act against others
Bureau of investigation will not involve themselves in any acts of
remotely. Also the level of control from the hacker is very
loss unless they are substantial. Therefore, careful assessment
limited, thus the system is a puppet on a string versus an IBot
must be made to ascertain the extent of corporate or individual
zombie. This demonstrates the elusive nature of various tools that
user liability before government support can be expected. With
the new Internet criminal is using for personal gain and profit.
that understanding, consideration can be given to the tools the
The malicious payload has not changed (can use a variation on a
hacker is using to exploit resources or extort information. Once
common worm infestation), but the method of delivery has now
associated pitfalls are effectively identified then the proper
become virtually untraceable making it difficult to determine if
constraints can be implemented to mitigate loss.
you are the medium for carrying out someone else’s misdeeds
Botnets, more common than Puppetnets, have been (figure 3). The system application layer infection incurred for
cultivated and allowed hackers to remotely take control of a puppet-like control of your system through visiting an infected
user’s machine to do their own bidding through some backdoor or “authentic” websites. Here the sponsor is unaware that they are
rootkit application embedded on some unsuspected host. A basic transmitting a worm infection to propagate Puppets and create
limitation once the computer device has been taken over is that Puppetnets. The same situation can occur as with many of the
they must be on and accessible via the Internet. The level of current phishing and pharming scams, whereby users are lured to
control is extensive and system process domination is very a malicious website to exploit personal information gained
obvious. There are currently many malware applications on the through social engineering, and in the process the victim can also
market today that are capable of monitoring and identifying receive a piggybacked puppet exploit, as well as lose valuable
whether a system is infected or not [15]. The use of these personal information. [12].
applications can limit the affect of possible infection. A common
scenario process for infection to occur is for an unsuspecting user
to download some utility they find on the network. Upon
installing the application to their system, not realizing in the
background, code from the same install adds a backdoor to their
system created for the hackers’ later use. Once installed, some
malicious utilities are capable of replicating themselves to other
systems on the same network, extending the hackers influence
and capability. These common exploits are referred to as Viruses,
Trojans, and Worms with the distinctive term identified from the
extent of their capabilities.
Figure 2. DDoS using Puppetnets [12]
87
4. attempts are often covert and their source of origin very difficult
to trace [1]. Though there are degrees of success, many issues
still need to be addressed for wireless and mobile technology
applications. Less common than wireless exploits, mobile cell
phone devices can be subject to Distributed Denial of Service
attacks. In these types of attacks, the wireless device is flooded
with unsolicited traffic where at a minimum, the users’ cell phone
battery is drained of power and rendered useless [23].
Today there are many Zero Day exploits and application
layer vulnerabilities that are not detected by scanning software.
Traditional malware vulnerability schemes attempt to address the
current functionality of malware that has been embedded into
operating systems. This process of observation identifies and
monitors process events that make calls to application resources
not initiated by the system user. Many such applications position
themselves between the kernel and system application to measure
process calls and identify patterns and behaviors. For most
malware to be effective, it must evade user and anti-malware
Figure 3. How Puppetnets propagate worms from infected applications’ detention as demonstrated with Puppetnet
server through browsers [12] technology. The new strands of attacks demonstrate the elusive
characteristics and capability of malware. New patterning
The Centers for Disease Control on February 2, 2007, fell
methods must be developed for event processing in anticipation of
victim to a virus attack that was spread to many innocent viewers
zero-day attacks [15]. In a recent interview with a representative
through their websites’ video downloads. Currently the breach is
from Sana Security, Jon Summers (personal communications,
being investigated, and the full extent of the exploits is being
February 13, 2007) highlighted the time lag seen in figure 4,
determined [7]. This event brought in the support of the Federal
between when an anomaly is identified, and a fix is posted by
government due to the risk of the target being attacked. What is
most antiviral solution providers. What is significant is the
significant is that a public radio announcement along with public
minimum of 30 hours before a fix can be released and applied,
announcement services suggested that if you had visited the site
and the 30 days for full deployment to be implemented. This
you could be vulnerable to virus infection. This announcement
figure should alert us all to level of risk inherent till an
shrouded in ambiguity suggests a footprint similar to the very
appropriate patch can be created, deployed, and implemented.
nature of a puppet viral infection. Therefore even if you viewed
The obvious question is, if a vulnerability is identified, how are
the site you could now be a tool for hacker exploitation infected
the unsuspecting victim’s systems being utilized till a fix is
from a Puppet sick website (figure 3). This deceptive charade of
applied?
representing websites as valid representations of commercial
institutions sites to gain personal information from unknowing
users has been prevalent since 2004. Commonly known as
phishing, the basic principles employed by hackers is to combine
social engineering with technical deception by making it look
authentic and safe. Awareness and validation are key
considerations that users and businesses should incorporate into
their understanding and security practices in combating loss and
avoidance of deception. This means one cannot be indifferent.
Internet security is more than a proper technological application
of standards. It is the knowledge and understanding of who one’s
enemy is and how to avoid being exploited [28].
These attack models can be used to exploit not just Local
Area Network (LAN) or Wide Area Network (WAN) topologies,
but also Wireless Local or Metropolitan Networks as well
(WLAN, WMAN). Stanford researches are focusing on the Figure 4. Time delay comparison of malware detection to
current wireless technology afforded to hackers and the various deployment of safeguard - SanaSecurity.
vulnerabilities this technology provides to interrupt normal
operations. Their study describes wireless frequency patterning to
4. DISCUSSION
establish signal-prints of would-be attackers spoofing various
MAC addresses. From these signal-prints, cross-referenced Solutions for the avoidance of hacker’s exploits, whether
vectors can geographically pinpoint origins of disruption. The they are Botnets, Puppetnets, or other maladies have not really
cross vectoring of signals identifies typical patterns behind the changed; they now just require more diligence and caution.
sources of various attacks; it can confirm that an attack is actually Common sense mitigation includes: system patch updates,
occurring and locate the origin of the transmissions. Part of the disabling JavaScript, filtering attack signatures, implementing
problem encountered in combating penetrations and attacks is tighter controls for client-side and server-side behavior,
determining if they are really occurring in real-time since monitoring traffic flows, and employing tracing methods as
88
5. A recent breach reported on the local Atlanta news (2007,
appropriate. The same old method of highlighting awareness of
February 22) identified how a hacker had infiltrated a university
the problem and then of addressing the problem to the proper
network infrastructure and accessed faculty, staff and student
authorities or corporate stakeholders to determine a cost effective
information. Details are still pending, but it is clear these
method to mitigate risk still applies. Training of staff regarding
activities were discovered and captured with Honeynet tools
the operational procedures that must be applied for conducting
currently being implemented at Georgia Technical University.
business using Internet resources must be consistently emphasized
Per a recent interview with Chris Lee (personal communications,
and regularly scheduled [16]. Training for the common Internet
February 15, 2007), the administrator at Georgia Institute of
user poses a different sort of problem which can only be
Technology Honeynet research Project, there are many variations
addressed informally. But even more than the operational
of the Honeypot application. Honeypots at Georgia Institute of
procedures, technical applications embracing new relevant tools
Technology are purposely being deployed for high-interaction,
that defend or define the extent or application of an attack need to
low-interaction (nepenthes), WiFi, as virtual systems in VMware,
be incorporated into the strategic makeup of every network.
VPN bridged-ethernets to form large Honeynets, and Honeymoles
The Black Hole network is one such method. A Black Hole
which redirects traffic to remote network locations. The
network is a strategic practice of network placement for
significance of this approach is that attackers are constantly being
redirection of unused address space traffic to a black hole address
tracked and monitored to identify the extent of their capabilities
space for statistical analysis to include avoidance of malicious IP
for analysis and documentation.
traffic originating from Internet attackers and has been in practice
Some scholars have focused their efforts on attempting to
for many years [2]. Various applications for this practice are now
create visual representations of identified attacks so that through
starting to be employed in many practical ways to mitigate attacks
simple observation a user can immediately respond [11]. Through
through redirection of bogus packets for statistical analysis to this
tracking and observing of tagged session flows, a visual
dead address space (figure 5). Because a hacker quickly
representation can be seen of any perceived attack (figure 6).
discovers that their attempts are being redirected, those that
Attack detection is, therefore, not dependent upon signature or
employ black hole techniques are combining this technique with a
anomaly based applications to alert the user. One of the major
viable target to maintain the attackers’ interest for further analysis
problems that system administrators experience is determining
of their tactics.
whether an attack is occurring in real-time. Typically system
administrators spent valuable time having to sift through
superfluous data before assuming a course of action to counter an
attack. With a visual representation of suspicious qualifiable
patterns, administrators gain more insight in how to initiate an
immediate response to an attack [13]. Therefore, we have moved
beyond basic signature or anomaly based detection methods with
preprogrammed responses often seen in most IDS or IPS
application to a more intuitive human sensory approach that can
clearly identify and distinguish traffic patterns quickly and
respond accordingly. Visualization of attack patterns gives the
system administrator for a network another definitive tool of what
is actually happening on the network in real-time [18]. The
application of visual representation of network traffic is becoming
a dominant trend in the war to combat Internet crime.
Figure 5: Internet traffic sensor redirection architecture [2]
To maintain a hacker’s interest, researchers at the University
of Houston in Houston, Texas justify the use and application of
“Honeypots” to aide in computer forensic efforts. A common
deployment for system administrators maintaining a hacker’s
attention is to include a computer system’s presence in the dead
address space (Blackhole) that demonstrates potential for
exploitation. Through the safe and effective practice of
Honeypots, hacking strategies are analyzed and trends determined
to more effectively counter criminal exploits. A more extensive
application of the Honeypot concept is when multiple devices
listed in unused address space are available and vulnerably
configured. This concept is called a Honeynet. Security
technicians need to gain more understanding of the hackers attack
trends so loss may be minimized. Honeypots and Honeynets
provided a controlled test environment that identifies these exploit
trends and provides valuable insight [19]. Now that ethical Figure 6: Impromptu Client with Activity Wear, User
practices and legal constraints have been clearly identified, Characterization, and Media Characterization [11]
Honeynets are common in application providing valuable data to
aid research in combating Internet abuse.
89
6. [7] Gaudin, Sharon., (2007, February 6). CDC plagued by virus
5. CONCLUSION AND FUTURE WORK
of a different strain. Information Week. Retrieved February
The general motivation and methods of common information 16 2007, from
technology exploits have not changed in the past five years. http://www.informationweek.com/news/showArticle.jhtml?a
Instead, the methods have become more technically elite and rticleID=197003756.
challenging to identify. Clearly, various organizations are voicing
[8] Gibson, Steve, (2005, August). Spyware was Inevitable.
a concern over the influence and capability of Botnets and
Communications of the ACM, Vol. 48, No. 8.
Puppetnets and the elements of organized crime propagating their
use. New technical innovations provide many opportunities for [9] Keizer, Gregg, (2003). Gartner outlines top enterprise
the reworking of older known hacker exploitations, with a new security threats for 2003. Retrieved January 25 2007, from
medium for transmission. Though there are new methods, they http://www.techweb.com/wire/26800849.
are often nothing more than a variation of a past exploits. Social
[10] IT security reboot 2006: The year's top news. (2006,
Engineering, Viruses, Trojans, DDOS, and Worms can be
December 14). Retrieved January 25 2007, from
repackaged in many different ways. The social mindset and
http://www.scmagazine.com/us/news/article/610018/it-
orientation of the attacker and the typical strategic approach of
security-reboot-2006-years-top-news/.
their attacks has remained the same [29]. Our response today must
[11] Jennifer Rode, Carolina Johansson, Paul DiGioia, Roberto
have the same level of sophistication employed by the new
Silva Filho, Kari Nies, David H. Nguyen, Jie Ren, Paul
innovations that hackers are implementing. We need to educate
Dourish, and David Redmiles, (2006, July). Seeing further:
Internet users of the hackers’ exploits and current trends. We also
Extending visualization as a basis for usable security.
need to track and monitor exploits being employed in order to
SOUPS 2005, July 12-14, 2006, Pittsburgh, PA, USA, 145-
anticipate future attacking strategies, graduating level of hacker
155
enticement with containment through methods seen in Blackhole
and Honeynet applications. There are many new strategic [12] Lam, V. T., Antonatos, S., Akritidis P., & Anagnostakis, K.
methods and tools of application that can be deployed to identify G., (2006, October). Puppetnets: Misusing web browsers as a
and anticipate an attack. Extensive research should be devoted to distributed attack infrastructure. Proceedings of the 13th
visualization techniques. More practical tools should be explored ACM Conference on Computer and Communications
to empower the common Internet user. The Internet today is Security CCS '06, ACM Press, 221-234.
faster, more information enriched, and sadly, unsafe from
[13] Lee, C. P., & Copeland, J. A., (2006, November). FlowTag:
malicious exploitation of the ordinary user.
A collaborative attack analysis, reporting, and sharing tool
for security researchers. Proceedings of the 3rd International
6. REFERENCES Workshop on Visualization for Computer Security VizSEC
'06, ACM Press, 103-107.
[1] Cheriton, D. R., & Faria, D. B., (2006, September).
Detecting identity-based attacks in wireless networks using [14] Maguire, James, (2006, December 20). Top Ten 2007
signalprints. Proceedings of the 5th ACM workshop on Security Problems: Predictions. Retrieved January 25 2007,
Wireless security WiSe '06, ACM Press, 43-52. from
http://www.esecurityplanet.com/article.php/11162_3650151
[2] Cooke, E., Bailey, M., Mao, Z. M., McPherson, D., Watson,
_2.
D., & Jahanian, F., (2004, October 29). Toward
understanding distributed blackhole placement. WORM, [15] Moffie, M., Cheng, W., Kaeli, D., & Zhao, Q., (2006,
ACM Press, 54-64. October). Hunting Trojan Horses. Proceedings of the 1st
Workshop on Architectural and System Support for
[3] Cox, Mark, (2007, February). Top ten trends among SMBs.
Improving Software Dependability ASID '06, ACM Press,
eChannelLine Daily News, Retrieved February 15 2007,
12-17.
from
http://www.connectitnews.com/usa/story.cfm?item=437. [16] Orgill, G. L., Romney, G. W., Bailey, M. G., & Orgill, P.
M., (2004, October). The urgency for effective user privacy-
[4] Criminals increasingly turn to zombie PCs – Microsoft fears
education to counter social engineering attacks on secure
the rise of the Botnet. (2006, December 27). Techworld
computer systems. Proceedings of the 5th Conference on
Kavanagh Report, Retrieved January 25 2007, from
Information Technology Education CITC5 '04, ACM Press,
http://www.techworld.com/news/index.cfm?newsID=7674.
177-181.
[5] De Guzman, Mari-Len, (2005, June 20). Banks to spend
[17] Reavis, James, (2007, January 17). Ready or not, here comes
more on IT security, survey says privacy regulations and
2007! Retrieved January 25 2007, from
other compliance issues are behind the spending uptick. IDG
http://www.riskbloggers.com/jimreavis/2007/01/ready-or-
News Service. Retrieved January 25 2007, from
not-here-comes-2007/.
http://www.computerworld.com/action/article.do?command=
viewArticleBasic&articleId=102642. [18] Rode, J., Johnansson, C., DiGioia, P., Filho, R. S., Nies, K.,
Nguyen, D.H., Ren, J., Dourish, P., & Redmiles, D., (2005,
[6] Dunn, John E., (2007, January 24). Microsoft Holds Botnet
July 12-14). Seeing further: Extended visualization as a basis
Summit – Secret Squirrels Mull Security Threats. Techworld
for usable security. Symposium on Usable Privacy and
Kavanagh Report. Retrieved January 25 2007, from
Security, SOUP, 145-155.
http://www.techworld.com/news/index.cfm?newsID=7835.
90
7. [26] Threat analyses: These analyses describe some of the more
[19] Sadasivam, K., Samudrala B., & Yang,T. A., (2005, April).
common or interesting threats and applications. They only
Design of network security projects using honeypots.
cover a small proportion of the viruses, spyware, Trojans,
Journal of Computing Sciences in Colleges, Volume 20 Issue
worms, adware and PUAs detected by our products, (2006).
4, 282-293.
[Podcast, sophos-podcast-011] Retrieved January 25 2007,
[20] SANS top-20 Internet security attack targets (2006 Annual
from www.sophos.com/podcasts.
Update) version 7. (2006, November 15). Retrieved January
[27] Treese, Win, (2004, September). The State of Security on the
25 2007, from http://www.sans.org/top20/2006/.
Internet. - Putting It Together. netWorker Volume 8 , Issue
[21] Schneier, Bruce, (2005, June). Attack trends 2004 and 2005.
3.
Queue Volume 3, Issue 5.
[28] Van der Merwe, A., Loock, M., & Dabrowski, M., (2005,
[22] Security issues are eroding trust in online banking, survey
January). Characteristics and responsibilities involved in a
shows. (2007, January 29). Retrieved January 30 2007, from
phishing attack. Proceedings of the 4th International
http://www.digitaltransactions.net/newsstory.cfm?newsid=12
Symposium on Information and Communication
32
Technologies WISICT '05, Trinity College Dublin, 249-254.
[23] Swami, Yogesh Prem & Tschofenig, Hannnes, (2006).
[29] Zhang, L., (2003, September). Why do people attack
Protecting mobile devices from TCP flooding attacks. ACM
information? And what will be the trend in the future?
Press, 63-68.
Department of Computer Science, University of Helsinki,
[24] Tupakula, Udaya Kiran & Varadharajan, Vijay, (2006). Finland, 1-5. Retrieved January 25 2007, from
Analysis of traceback techniques. Conferences in Research http://www.cs.helsinki.fi/u/lamsal/
and Practice in Information Technology, CRPIT, Volume 54. teaching/autumn2003/student_final/lili_zhang.pdf.
[25] The Top 10 Most Critical Internet Security Threats - (2000-
2001 Archive) Version 1.33. (2001 June 25). Retrieved
January 25 2007, from http://www.sans.org/top20/2000/.
91