Category: Trends

1. The Portable Problem
They can be the getaway vehicles for sensitive data, or the unwary carriers of viruses and other malware. It’s no surprise, then, that removable storage is at the top of the list in almost every security professional’s priority list these days. In a survey published yesterday, Centennial Software reported that 38.4 percent of attendees at the recent InfoSecurity Europe conference listed portable media as the number one security issue facing their organization. Viruses finished second at 23.7 percent; spyware garnered 22.3 percent. “It comes up in every conversation I have with a customer,” says Steve Stasiukonis, vice president and founder of Secure Network Technologies, a penetration testing firm. According to a study published two weeks ago by Senforce Technologies, 73 percent of IT professionals say their organization houses critical data on removable devices such as laptops, thumb drives, and iPods. Twenty-three percent of the respondents said their organization had reported a network security breach in the last 12 to 18 months, and another 25 percent said they didn’t know whether such a breach had occurred.

2. Web Two Point Zero-Day?
In tests of some 31,000 Websites last year, the Web Application Security Consortium exposed more than 148,000 vulnerabilities, according to the latest WASC statistics. As with portable devices, the problem with emerging Web applications — sometimes collectively called Web 2.0 — is that the popularity of the technology is rapidly outstripping the IT organization’s ability to secure them. Fortify Software earlier this month reported a new wave of Internet attacks targeting Web 2.0 sites and the Ajax applications that have helped make them so dynamic.

3. Attacker Inside!
Corporations have always been concerned about security leaks and insider attacks.

4. Endpoint End Game
Networks and applications are nice, but most hackers’ favorite target is a nice, blissfully-ignorant end user. Some 25,090 (13 percent) of the corporate PCs surveyed had unauthorized USB devices attached to them. Whether it’s Cisco’s NAC, Microsoft’s NAP, or any one of a dozen other endpoint security strategies, corporations need to find a solution, and fast.

5. Botnet Bugaboo
When attackers crippled two of the Internet’s key Domain Name Service servers in February, it was bad enough. But now experts are telling us that the attack might have been a prologue to a much larger attack, or perhaps even a sales demo for a botnet seller. BBC News today is reporting that some companies have begun hiring hackers to launch botnet attacks on their competitors, creating spam networks or crippling their rivals’ networks with botnet traffic. And with zero-day vulnerabilities discovered in Microsoft’s DNS just a few weeks ago, the botnet threat is greater than ever, experts say. “Botnets are pervasive on the Internet and use zero-day vulnerabilities, such as Microsoft’s DNS vulnerability, to grow their armies,” said Ashar Aziz, CEO of security company FireEye. “Botnets enable theft of enterprises’ customer data and intellectual property, and can be used to commit fraud and crime on a large scale.

http://www.darkreading.com/document.asp?doc_id=123294&WT.svl=news2_3

“Either it’s a vulnerability in software, which we are all familiar with or configuration changes being made day to day by people within the organization that introduce vulnerabilities,” he said.

Colorado Springs, Co.-based Configuresoft Inc. is making itself stand out by trying to capitalize on organizations upgrading systems to a service oriented architecture and those that are using server virtualization.

Companies such as Lexington, Mass.-based Bladelogic Inc. are filling the need for server configuration management, said Mark Nicolett, research vice president at Stamford, Conn.-based Gartner Inc. “This segment is a bit busier than it had been and I expect this segment to be driven harder,” he said. The vendor is using business intelligence to alert management of any configuration changes that can open holes and increase risk, said Andi Mann, a senior analyst at Boulder, Co.-based Enterprise Management Associates.

George Gerchow, Configuresoft’s technology strategist said merchants seeking compliance with PCI DSS, credit card security standards are driving spending on configuration management tools.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1252785,00.html

With computer users becoming more aware of how to protect against e-mail-based malware, hackers have turned to the Web as their preferred vector of attack. The trojan is typically found in html or ASP files, and can download and execute files from malicious Web sites to infected computers.

The company’s researchers found that 70%, were legitimate Web sites that were vulnerable to attack because they were unpatched, poorly coded, or had not been maintained by their owners. They also found that 12.8% were hosting malicious script, while Windows malware was responsible for infecting 10.7%.

“What’s most worrying is that so many Web sites are falling victim because the owners are failing to properly maintain them and keep up to date with their patches,” said Carole Theriault, a senior security consultant at Sophos, in a written statement.

“The average Internet user assumes sites like the Miami Dolphins homepage are safe to access, but by targeting a whole range of Internet pages, hackers are successfully infecting a larger number of unwary surfers.

http://www.darkreading.com/document.asp?doc_id=122469&f_src=darkreading_section_318

The report also detailed what hardware and software players were gaining traction.

Surprisingly, Lenovo and Apple were shown to be gaining share of the IT spend, which Dell and HP were losing share.

http://blogs.zdnet.com/BTL/?p=4646

“Hackers are exploiting Internet auctions, money transfers like Western Union and PayPal, the ability to impersonate lottery and sweepstake contests, and other types of imaginative scams,” said Litan. “They’re going after the weakest links, the consumers using social engineering tactics, and the U.S.’s payment systems at retail and businesses.” “Banks eat the fraud there,” at least for now, said Litan.

A Massachusetts state lawmaker, however, has proposed a bill that would hold retailers financially responsible for breaches. “The retailers are already paying for fraud” in the form of higher interchange charges, Litan said. She offered up examples of how that might be done, including more sophisticated authentication on debit cards and payment processors relying on identity scoring systems that were able to spot thieves using indicators like physical location.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9012483&source=NLT_AM&nlid=1

The majority of cybercriminals in Japan were in their teens and twenties, following the trend from recent years.

The NPA is currently trying to promote public awareness of cybercrime and has so far succeeded in that, which has been highlighted by a significant drop in the number of cybercrime complaints for the first six months of 2006.

http://www.viruslist.com/en/news?id=208274044