Security News Curated from across the world
Spim affects only a small number of people today, but the problem is growing. It accounts for between 5 percent and 8 percent of all business IM communications, according to The Yankee Group. According to data from Radicati Group, 400 million spim messages were sent in 2003. That number is likely to jump to 1.5 billion at the end of 2004, representing a growth rate triple that of traditional e-mail spam.”
More info: http://news.com.com/2100-1032_3-5228678.html
Security spending takes up from 3 percent to 4 percent of IT budgets today, the Meta Group said in a report on calculating information-security spending.
A chief financial officer typically defines ROI as dollars spent balanced by additional revenue or accrued profit, but “security doesn’t generate revenue or improve profits in a predictable manner,” Meta analyst Chris Byrnes said.
The rate of spending is expected to be slower in Europe than in the U.S., with a 5 percent to 7 percent CAGR versus a 10 percent CAGR, Meta said.
The major reasons are the lower intensity of publicity regarding cyber-crime and compliance issues.
In the Asia-Pacific region, spending rates are expected to be similar to Europe in mature economies, such as Singapore, Japan, Australia, and South Korea.
Security spending in developing countries, such as Malaysia, Thailand, and Philippines, is only starting.
Within verticals, the more regulated industries and those that conduct a lot of electronic financial transactions over the public Internet are expected to continue spending more on security.
More info: http://www.techweb.com/wire/story/TWB20040607S0013
In the class-action litigation brought by families of Sept. 11th victims against the airlines, airport security companies, airplane manufacturers and the owners and operators of the World Trade Center, the court examined two main elements:1.
Whether the various defendants owed a duty of care to the people in the World Trade Center and on the planes that crashed; and 2. In finding that the case should go to a jury, the court stated that we impose a duty on a company when the relationship between the company and user requires the company to protect the user from the conduct of others. This duty of care extends to private companies.
But the court also made a revolutionary declaration with respect to foreseeability. The court stated that, typically, a criminal act (such as terrorism or hacking) severs the liability of the defendant, but that doctrine has no application when the terrorism or hacking is reasonably foreseeable. The court went on to note that the danger of a plane crashing if unauthorized individuals invaded the cockpit was a risk that the defendant plane manufacturer should reasonably have foreseen—indicating that terrorist acts are indeed foreseeable.
A second case involved Verizon and the Maine Public Utilities Commission. The case dealt with whether Verizon could get a waiver for certain performance failure penalties that it was required to pay. Verizon argued that it should not have to pay, since its website went down due to the Slammer worm. The commission found that viruses and worms are foreseeable events, as evidenced by the regular security bulletins issued by software companies. The commission found that Verizon had not taken the reasonable steps available to it; steps that competitors AT&T and WorldCom did take (installing patches to ward against Slammer). Ultimately, the commission found that Verizon should be held accountable for its failure, indicating that virus attacks are also completely foreseeable events.
So now that threats to technology and other systems are no longer considered unforeseeable, what is a conscientious CSO to do? They must be able to prove they use best practices with respect to policies for information management, security, implementation of those policies and disaster recovery plans.
More info: http://www.csoonline.com/read/050104/flashpoint.html
According to security firm NTA Monitor, UK businesses are drowning under a rising tide of medium and low-level security vulnerabilities as they fight to deal with high-risk security flaws.
The company’s research – based on analysis of almost 500 network perimeter security tests of clients in both the public and private sector – found that a third of corporate networks have at least 10 flaws, opening themselves to “considerable risk of malicious attack”.
High-risk flaws were discovered in only 3.9 per cent of tests, while medium flaws were found in 74.3 per cent of tests and a low-risk vulnerability of some kind was found in every test carried out.
Security issues relating to the configuration of internet routers were found to account for the most frequently identified vulnerability.
Poorly configured routers can allow an attacker to let themselves into a network and can also be used as a stepping stone to attack other systems, NTA Monitor warned.
The most common problem the security firm found threatening its customers was denial of service (DoS) attacks.
Low-level flaws were identified in all networks in both 2003 and 2004, while medium-level flaws climbed from 73 per cent in 2003 to 74.3 per cent in 2004.
http://www.vnunet.com/News/1155120
Microsoft announced an unprecedented eight patches to fix 21 vulnerabilities on “Patch Tuesday” last month, one of which Sasser’s creators exploited within three weeks.
Given the Sasser worm variants have hit 500,000 to 1 million unpatched machines to date, according to industry estimates, concern abounds that the window is rapidly closing between the time it takes vendors to identify holes and for attackers to take advantage of them.
Each new assault taking the world closer to zero-day exploits, when hackers will have the means to strike the day a new gap is announced.
Mark Nicollet, analyst for Connecticut-based research and advisory firm Gartner Inc., said the challenge is for organizations to put systems in place to end the recurring nightmare where administrators scramble to update their security software ahead of the next worm or virus, only to discover later that the patches they installed conflict with other software, causing computers to slow down or crash. We need to reach the point where blocking technology is effective enough to let us patch in a less disruptive, risky way, even without zero-day exploits.”
Eric Schultze, chief security architect for Shavlik Technologies of Roseville, Minn., said when it comes to the prospect of zero-day attacks, his biggest concern is that software experts are putting too much information in the public domain and unintentionally helping the hackers. He said researchers think they’re helping the IT community by putting detailed reports outlining the latest security flaws on the Internet for all to see. Schultze said the best approach is for researchers to “find the bug, alert the vendor and keep the rest out of the public domain.”
As the industry waits for Microsoft’s announcement and the next malicious code, some express skepticism that the zero-day attack will ever happen.
“I don’t think it’ll reach the point where hackers have a zero-time turnaround,” said Dennis Racca, president of network security provider Umbra Networks in Andover, Mass.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci963170,00.html
A young virus writer, sitting in his underwear in his parent’s dark basement, takes a hex editor and modifies a few bytes of the latest Netsky.M (16.5kb), Beagle.J (12kb) or Mydoom.G (20kb) mutation, spawns a new virus variant, and then releases it into the wild.
The resulting few thousand compromised machines, a conservative estimate perhaps, will sit naked as drones or “bots” on the Internet, waiting patiently for their summons and commands.
A mere 12 kilobytes of action-packed code is impressive.
For a 12 kilobyte Beagle, you get total system compromise, plus a highly effective spam engine.
The latest code that brings a Microsoft computer to its knees is small enough that it could be silk-screened onto an extra-large t-shirt: a walking time bomb, if you will.
With today’s monolithic software programs and operating systems, often barely fitting compressed on a CD-ROM, it’s easy to see how small bits of malicious code can slip under the radar.
I still remember the days, many computer-years ago now, when BackOrifice and SubSeven Trojans first came out.
At just over 100kb, they were impressive in their day.
Back then most people were running Windows 98, and a small 100kb email attachment could easily slip into the operating system and wreak havoc without ever being noticed.
Today these are 100kb Trojans are monolithic in comparison to our modern email-based worm-virus-backdoor-spam-engines that tend to be under 20kb; these old relics are still a useful footnote, however, for watching the long-term evolution of malicious code.
Speaking of monolithic: Windows XP Home Edition requires approximately 1,572,864 kilobytes (1.5Gbytes) for a typical install, according to Microsoft.
Of course, it’s better/faster/easier-to-use than previous versions, as the advertisements say, and if you believe the literature too it’s also less buggy and significantly more secure.
The public relations spin machine for such a large company is fascinating to me Windows has become bloated into millions and millions of lines code, yet it only takes a mere 12 kilobytes to provide full system compromise and an annoying spam engine.
The divide between David and Goliath has never been greater.
Consider an analogy on the size of modern malicious code: if Windows XP were the size of the Empire State Building, then the little barking Beagle virus – the size of a small dog – can come in through the front door, lift its leg, deliver its payload, and somehow cause the entire building to come crumbling down.
The latest craze in the virus-worm-spam war has seen computer worms crawling inside of other computer worms – like watching maggots crawl on top of each other as they make their way through a tender piece of meat.
Some of the latest worms found in the wild have multi-vector propagation algorithms and also make use of previous viral infections by Beagle and Mydoom.
I do not know to what extent Microsoft’s code is scrutinized through an exhaustive security audit, but two years after Bill Gates’ long-heralded announcement the holes in the cheese are larger than they’ve ever been.
For now we’re stuck with millions and millions of lines code compiled into a giant operating system that can be wiped out of existence remotely with nothing but a small 12 kilobyte piece of code, launched by someone in his underwear on the other side of the world.
http://www.theregister.co.uk/content/55/36345.html