Scary threats Get Scarier

It used to be that if you avoided sketchy Web sites and were very careful about clicking on links in e-mail messages, your odds of acquiring a nasty worm or trojan through a drive-by download were pretty low. That may no longer be the case.

In its assessment of the top security risks of 2008, the SANS Institute gave top place to “increasingly sophisticated Web site attacks that exploit browser vulnerabilities.” One key change is the increasing ability of attackers to compromise well known Web sites that visitors are likely to regard as safe. “Placing better attack tools on trusted sites is giving attackers a huge advantage over the unwary public,” the report says.

Other top threats include:

--More sophisticaed networks of compromised "zombie" computers that can be used to spew spam and malware. The new botnets infect other computers more easily and are harder for the good guys to find and eradicate.

--Cyber-espionage by organized entities, perhaps governments, looking to steal large amounts of data.

--New threats to mobile devices, especially those running sophisticated operati9gn systems such as the iPhone and upcoming Open Handset Alliance Android phones.

--Insider attacks. Often overlooked, the most devastating attacks frenquiently come from within networks and are launched by people who have been given legitimate access to systems.

--Advanced identity theft by malicious software. The mkore personal information that can be collected about an individual, the more damage that can be done.

The annual SANS threat outlook was prepared by security experts Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Allen paller.