Security experts warn of 'January Effect' cyberattacks
The world didn't end with the Mayan calendar. But it still might be a good idea for those in the information security business to be wary of this time of year.
Jeffrey Carr, an author on cyberwarfare and founder and CEO of Taia Global, noted in a post on Infosec Island this week that he has noticed a major breach or act of cyber warfare that kicks off the New Year—every year since 2009.
Carr calls it "The January Effect," a well-established term in the investment world that refers to an expected price rise in securities after the first of the year. The effect, he said, is viewed as an opportunity for the bad guys.
He listed four major events as evidence:
- December 2008 - January 2009: Operation Cast Lead, a land war between Israel and Hamas that included thousands of simultaneous cyberattacks.
- December 2009 - January 2010: Google and 20-plus other companies were breached.
- January 2011 (approximate) - March 2011: RSA was breached sometime early in 2011, and announced it on March 17, 2011.
- January 2012: A hacker announced that he had Symantec's source code for Norton and other products.
"It may start in December and then get publicized in January, or happen in January and get publicized a bit later but it has happened four years in a row now so I fully expect it to occur once again," he wrote.
Some other security experts say they don't dispute the events presented, but aren't sure they stand out as all that different from other major attacks during the rest of a given year.
"The facts are what they are," said Jody Westby, CEO of Global Cyber Risk. "What is missing is any comparison with other months of the year. Was January really that different? We have had so many high profile incidents, in part because they are now more openly reported and media picks up on them more."
Always hacking season
John Prisco, CEO of Triumfant, agreed that there are major attacks at the beginning of the year, but said hackers never take a break. "If you look at the year-round nature of some of the major breaches in 2011 and 2012—Sony, Epsilon, Global Payments, SC Dept. of Revenue—clearly, they didn't all happen in January."
Carr told CSO Online that while major attacks are ongoing, those he cited were unique. "Operation Cast Lead, which contained a military and a cyber component, is very rare," he said. And the two involving RSA and Symantec are unique because they happened to major security firms.
He said it makes sense that attackers would ramp up their efforts at this time of year because people are on vacation. "You've got second- and third-tier security people working, while those in the first tier are enjoying the holidays," Carr said.
There is agreement that holiday season vacations are a factor. "There are more people logging into company networks from home computers, which are not as secure as corporate computers, during the holiday season, and cybercriminals know that there are few IT staff working during the holiday," said David Nevin, vice president at TaaSera. "So, it's a good time to launch an attack. It's not really a January Effect, it's a Global Holiday effect."
But Mike Murray, managing partner of MAD Security and also of the Hacker Academy, said he thinks it is more a matter of everything slowing in December and then picking up in January. "Even the bad guys take vacations," he said. "So, we have fewer cybersecurity resources looking for stuff happening right now, and fewer bad guys trying to do damage. But everybody comes back in early January."
Carr said he has no idea what the next attack will be, or where it will come from. Since writing his post he has heard no rumors. "Any serious attack is not going to be discussed in a public forum," he said. But, as he concluded in his post, he's "confident that it'll be something impressive."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.