Cyber Security Institute

Monday, December 17, 2007

New Service Detects Backdoors in Software

Here’s something else to keep you up at night: Most of today’s scanning tools can’t detect software backdoor programs that can be inserted during the development process.  Researchers at Veracode have identified several different forms of these backdoor programs, which are sometimes inserted purposely by the developer for debugging reasons and can inadvertently put the app at risk—as well as those that can be easily sneaked into applications by malicious coders or attackers.  Fortify Software researchers dub the malicious form of this threat as “cross-build injection”—where vulnerabilities and malware such as backdoors are tucked into code during the software development process.  Veracode today also announced that it has added new features to its SecurityReview application security scanning service that detect some of these backdoor programs, which can sit quietly and invisibly in an application without your knowledge, leaving the door unlocked for an attacker to take over your machines.


VoIP vulnerabilities increasing, but not exploits

The threats against VoIP are numerous and seem to be growing, but in 2008 the technology probably won’t suffer crippling attacks.  VoIP is susceptible to the many exploits that networks generally are heir to—denial of service, buffer overflows and more.  For instance, two protocols widely used in VoIP—H.323 and Inter Asterisk eXchange—have been shown to be vulnerable to sniffing during authentication, which can reveal passwords that later can be used to compromise the voice network.


Thursday, December 13, 2007

Companies are Thinking of Information Security as a Strategic Asset

Ernst & Young issued findings from its tenth Global Information Security Survey and concluded that a growing number of firms recognize the other fringe benefits of keeping data safe.  E&Y polled about 1,300 senior executives in over 50 countries and found that although compliance is still a big driver of info sec initiatives, almost half of respondents (45 percent) said that meeting business objectives were among their top three drivers of information security.


Tuesday, December 04, 2007

Mashups, SAAS Present Security Risks

Experts say the techologies and their building blocks, XML and HTML, have inherent security flaws.  The rise of mashups and similar technologies has given developers a way to build simple applications, but they’re also opening up a new world of security issues.  The risks involved with mashups and SAAS (software as a service) come because of the amount of sensitive data that can be exposed on the Internet.  However, Jeremy Burton, CEO of Serena Software, which released its enterprise mashup platform Dec. 3, said the benefits of the technologies can outweigh the risks.  “There are definitely security risks involved when exposing any URL on the Internet which contains confidential data behind it,” Burton said at the XML 2007 conference here Dec. 3.


Cybercrime agency faces cuts as computer raid threats grow

Staff cuts at the government agency that tackles cybercrime will leave British businesses vulnerable to attack from criminals and industrial espionage, experts say.  It has emerged that the Serious Organised Crime Agency (Soca), formed last year, will have to shed up to 400 staff when the Home Office announces its policing budget this week.  The move, which experts say lessened Britains defences, went ahead despite evidence that web-based threats to companies were escalting.  Research released yesterday by Finjan, a web security company, highlighted an increased volume of cyber attacks on British companies from China.


Amount of malware grew by 100% during 2007

In its 2007 data security summary, F-Secure reports of a steep increase in the amount of new malware detected during 2007.  This indicates that network criminals are producing new malware variants in bulk.  Social engineering remains a key method for propagating malware, and more productive malware development tools and kits are increasingly used by the criminals.  The successful social engineering methods the Storm gang used during the first half of 2007 were further developed in the second half of the year.  Also the technical setup of the Storm botnet is unique: in addition to using a novel peer-to-peer setup to avoid one vulnerable central point of control, the botnet also has a capability of using DDoS-attacks to retaliate against anti-virus researchers investigating the botnet.


Monday, December 03, 2007

Study Reveals Overlooked Sources of Leaks

There are a whole lot of ways for sensitive information to leak from your organization, and most of them wouldn’t be prevented by data leak prevention tools, according to a new report issued today.  In a detailed study of 887 leak incidents, the Information Security Forum—an international, non-profit consortium of security-focused enterprises and vendors—found that many leaks are caused accidentally, often through non-technical means.  “Think about how often you hold the door open for a stranger carrying something heavy, or what you can overhear in a conversation on an airplane,” says Simone Seth, senior research analyst at ISF.  “That’s the sort of thing we found over and over again in the study.”  While there have been many studies recently on insider attacks, most of them focus primarily on online leaks, without taking into account the “old” sources of leaks that have been around for years, she observes.


Sunday, December 02, 2007

Security Breach Costs Jump 30%

The cost of recovering from a single data breach now averages $6.3 million-that’s up 31 percent since 2006 and nearly 90 percent since 2005, according to the Ponemon Institute, which studies privacy and information management.  Two-thirds of that cost is spent recovering business that’s lost after a breach, a cost that has risen 30 percent since last year. More customers stop doing business with a company after their information is exposed, and it’s getting more expensive to replace them.  They spent an average of $197 per lost record investigating the breach, notifying customers, restoring security infrastructures and recovering lost business.  Breaches by third parties-outsourcers or members of a company’s supply chain-were the second biggest cause of security compromises and are more expensive.