This is a must read.
Do you know how to guard against scareware? How about Trojan horse text messages? Or social network data harvesting? Malicious hackers are a resourceful bunch, and their methods continually evolve to target the ways we use our computers now. New attack techniques allow bad guys to stay one step ahead of security software and to get the better of even cautious and well-informed PC users.
Don’t let that happen to you. Read on for descriptions of 11 of the most recent and most malignant security threats, as well as our complete advice on how to halt them in their tracks. (Source: Infoworld)
Here are the threats:
1. Shortened URLs
2. Data Harvesting
3. Social Network Impostors
4. Web Snooping
6. Trojan horse texts
7. Lost laptops, exposed data
9. Weak Wi-Fi security
10. Endangered data backups
11. Unpatched software
Go here to learn about the threats and how to protect against them. And learn about 5 security myths as well.
Related articles by Zemanta
- 5 Top Tips on How to Stay Safe While Using WiFi Abroad (travelblissful.com)
- Fake Spyware Blockers Are the New Internet Threat In 2010 (prweb.com)
- Pop-Up Security Warnings Pose Threats (deurainfosec.com)
If you haven’t applied the patch yet beware. If your still using IE 6, upgrade.
Starting late Wednesday, researchers at antivirus vendor Symantec‘s Security Response group began spotting dozens of Web sites that contain the Internet Explorer attack, which works reliably on the IE 6 browser, running on Windows XP. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec.
Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a U.S.-based, free e-mail service that Symantec declined to name.
As of midday Thursday, Symantec had spotted hundreds of Web sites that hosted the attack code, typically on free Web-hosting services or domains that the attackers had registered themselves.
The IE flaw being leveraged in these attacks was also used to hack into Google‘s corporate network last December. It has been linked to similar incidents at Adobe Systems and 33 other companies. Microsoft patched the vulnerability in an emergency security update Thursday morning.
The Google attack hit IE 6 on Windows XP, but over the past week hackers have found ways to exploit the flaw on more recent versions of the browser as well. These latest techniques do not appear to be used on the Web sites Symantec has uncovered. They use the IE 6 exploit code, Talbot said.
Still, with IE 6 still being widely used, the move to more widespread attacks is worrying. “It may be an indication that attackers have finally ramped up their attack toolkits and are now ready to launch widespread attacks,” Talbot said.
Phishing is being used to gain victims.
He believes that the criminals are tricking victims into visiting their Web sites by sending spam e-mail or instant messages with links to sites.
On Thursday, Websense published some sample e-mails used in targeted attacks that exploit the IE bug. A typical subject line is “Helping You Serve Your Customers.” The e-mail reads, “I just heard the news: Helping you serve your customers” and includes a link to the malicious Web site.
The e-mails contain spoofed e-mail addresses, designed to fool victims into thinking that they were sent by a colleague. The malicious Trojan used in the attack is not the same one that was used in the Google attack, however.
Websense has seen these e-mails sent to targeted companies in the U.S. and the U.K., said Patrik Runald, a security research manager with Websense. “These attacks are actually continuing; they happened today; they happened yesterday and they happened the day before.”
However, Websense believes that the e-mails it has tracked are part of a small-scale targeted attack, similar to those used on Google and Adobe in attacks that are ongoing. Websense has counted only about 25 malicious Web sites to date, but the number is rising fast, Runald said. (Source: InfoWorld)
Related articles by Zemanta
- Widespread attacks exploit newly patched IE bug (computerworld.com)
- Microsoft Plugs Security Hole Used in December Attacks (bits.blogs.nytimes.com)
- 5 More Reasons Why IE6 Must Die (mashable.com)
Security administrators are anxious, perhaps with good reason.
While domain name system security extension (DNSSEC) deployments and IPv6 offer a number of benefits, a lack of support and expertise could prompt an emerging wave of new botnet attacks, according to several security architects responding to a new survey from Arbor Networks Inc., a vendor that sells appliances that defend against botnet attacks.
The survey, in its fifth year, posed questions to 132 security professionals, many of them lead security architects at ISPs and large telecommunications firms. It is designed to highlight the security threats facing service providers.
Nearly 35% of those surveyed said sophisticated service and application-layer attacks represent the largest operational threat over the next 12 months, displacing large scale botnet-enabled attacks, which came in second this year at 21%.
“When Web services were located in single data centers in some aspects they were easier to defend, but now we’re dealing with more distributed environments,” said Craig Labovitz, chief scientist at Lexington Mass.-based Arbor Networks. “There are many more components today, and as Web services are evolving, so are the attacks.”
The big concern DDoS attacks which are becoming difficult to detect.
Distributed denial-of-service (DDoS) attacks, driven by botnets, have doubled in bandwidth since the attack was first identified in 2001. But according to the survey, botnet operators appear to be changing their tactics to make some DDoS attacks more difficult to detect and more focused on specific systems running a network.
DDoS attacks have risen from 400 Mbps in 2001 to more than 40 Gbps, but the survey found the attack scale growth slowing in 2009. Botnet operators also may be reaching the threshold for sustained malicious DDoS traffic, Labovitz said. In 2009, the highest sustained attack peaked at 49 Gbps.
“The lower bandwidth attacks are focused not so much on flooding the pipes and routers, but disabling and disrupting certain aspects of the distributed Web service,” Labovitz said.
And while high-profile volume attacks such as the DDoS attacks that brought down some South Korean and U.S. government websites are not sophisticated, the attacks are designed to remain undetected, which is what worries security architects the most, Labovitz said.
Another major concern: the lack of IPv6 security features.
Arbor said missing IPv6 security features in routers, firewalls and critical network infrastructure lacking support for IPv6 are a cause for concern. A lack of skilled professionals to test and deploy IPv6 supporting equipment may also result in more Internet-wide security vulnerabilities. Labovitz said most providers don’t believe all their routers can support IPv6 and provide the level of security necessary to sustain network up-time.
“The concern is that we’ve had issues with a string of availabilities of vanilla IPv4 and now we’re going to be introducing more things into the network,” Labovitz said. “They’re concerned it could tax technology operations and support, and cause significant challenges.”
Similar concerns exit for DNSSEC.
The survey found network operators concerned about an increase in attacks targeting DNS infrastructure, load balancers and large-scale SQL server back-end infrastructures.
The same concerns ring true for infrastructures that support DNSSEC. While the technology upgrade to DNS is expected to result in improved authentication and data integrity, deployments have been slow, but network security experts expect most top-level domains to be fully supporting DNSSEC by 2011.
Labovitz said the technology resolves many types of DNS injection attacks, but other underlying threats exist.
“There are many more moving parts,” he said. “It makes DNS messages bigger and more complicated.” (Source: SearchSecurity.com)
Related articles by Zemanta
- Targeted attacks replace botnet floods in telco nightmares (go.theregister.com)
- DNS Security Extensions are about to make the Internet a lot safer (downloadsquad.com)
- Internet Security Changes Coming Soon (lockergnome.com)
- DDoS attack hobbles major sites, including Amazon (news.cnet.com)
- What Researchers Are Learning About DDoS Tactics (computerworld.com)
Want a premium salary as an ISS professional? Make sure to obtain certifications in addition to the degree.
Security service providers and other channel partners who have invested in Global Information Assurance Certification (GIAC) training for their employees or who have hired employees who already have GIAC certifications will have a little more to advertise in 2010 with the announcement last week that three of the major GIAC tracks were accredited under the ANSI/ISO/IEC 17024 Personnel Certification program.
The most recent GIAC tracks to get the check-mark from ANSI were the GIAC Certified Incident Handler (GCIH), GIAC Certified Intrusion Analyst (GCIA) and GIAC Certified Forensics Analyst (GCFA) programs.
One of the most well-known incident-handling certifications in the security world, GCIH was recently ranked as the No. 1 security certification that organizations pay a salary premium for according to the IT employment analysts with Foote Partners. Those certified with GCIH have proven they know about common attack techniques and tools used to penetrate enterprises and small businesses alike. The certification attests to their knowledge about how to defend against and respond to these attacks, as well as incidents caused by both innocently inept and malicious insiders.
Unique within the security industry, GCIA is designed to show that recipients understand how to manage any Intrusion Detection System, regardless of vendor. Those who hold this certification have shown they understand the fundamentals of network protection and are able to analyze traffic patterns well enough to spot and analyze anomalies.
The third program ANSI accredited last week, GCFA, is one of the most recognized digital forensic certifications. Those bestowed with this vendor-neutral certification have proven that they understand a panoply of computer forensics tools and know the most common criminal forensic analysis techniques to complete Windows- and Linux-based investigations.
It seems security skills are not only in demand but result in greater pay.
“Unlike other technology job segments, pay and demand for security skills have risen steadily since 2007 and neither budget nor headcount has diminished in economic hard times,” wrote Foote Partners principal, David Foote. “Driving continued momentum for steady jobs investment and career safety is the ‘perfect storm’ of more regulation; constant fear of increasing threats; greater customer expectations and demands aimed at vendors; and the splitting of business/strategic risk and operational security activities, which has been accelerated by market forces.”
This demand for such skills could prove profitable for channel partners who are able to hire and retain personnel on their consulting staff in order to market to those customers who don’t have the wherewithal or resources to maintain their own cadre of full-time security experts. (Source: Channel Insider)
Will be pursuing certifications following graduation in June.
Related articles by Zemanta
- Security through diversity (cdixon.org)
- Upcoming webinar: “Cloud Security for Dummies” hosted by SIIA (aws.typepad.com)
- BBB’s Data Security – Made Simpler Initiative (pindebit.blogspot.com)
Related articles by Zemanta
- Firefox 3.6 Released! (siok.wordpress.com)
- Firefox 3.6 Portable Available for Your Thumb Drive Needs [Downloads] (lifehacker.com)
- Mozilla Delivers Firefox 3.6 to Millions of Users (Melissa Shapiro/The Mozilla Blog) (techmeme.com)
- Personas: At last, I get my way! (chickswhoclick.wordpress.com)
Have to worry about the Romanian hackers too.
Romanian hackers continue to have a field day with SQL injection flaws in major Website applications: A vulnerability in a U.S. Army Website that leaves the database wide open to an attacker has now been exposed.
“TinKode,” a Romanian hacker who previously found holes in NASA‘s Website, has posted a proof-of-concept on his findings on a SQL injection vulnerability in an Army Website that handles military housing, Army Housing OneStop. TinKode found a hole that leaves the site, which has since been taken offline, vulnerable to a SQL injection attack. “With this vulnerability I can see/extract all things from databases,” he blogged.
What’s with the weak security?
TinKode was able to gain access to more than 75 databases on the server, according to his research, including potentially confidential Army data. He also discovered that the housing site was storing weak passwords in plain text. One password was AHOS, like the site’s name.
“Four-character passwords that are the same name as the database table names are inexcusable,” says Robert “RSnake” Hansen, founder of SecTheory.
Hansen says the ease with which TinKode discovered the SQL injection flaw highlights the state of Web security. “[This is] a good example of how terrible our security posture is, and he didn’t even have to do anything tricky to find the exploit,” he says.
Considering SQL injection is a common vulnerability exploit this re-enforces the need to test systems regularly.
TinKode is among a group of hackers out of Romania who have been disclosing SQL injection flaws in high-profile Websites during the past few months. Most recently hacker “unu” demonstrated a major SQL injection hole in an Intel channel partner events Website that exposed personal passport information. Unu was able to hack into the front-end Web app and, like TinKode, found that the server administrators had their passwords stored in clear text.
SQL injection is a common Website vulnerability that is increasingly being used as a foot in the door to the back-end database.
“Every organization has these problems,” Hansen says. “They may not realize it, but they’re just waiting for a smart kid to come along and copy off every critical piece of information they have.” (Source: Dark Reading)
Of course common sense needs to be used when it comes to passwords as well. Storing in clear text?? Using four character passwords that are the name of the database?? Come on.
Related articles by Zemanta
- Web site scripting flaws are common and slow to be fixed (infoworld.com)
- Web application security is growing problem for enterprises (infoworld.com)
- RockYou Hack: From Bad To Worse (techcrunch.com)
- Useful SQL Injection Info (arnoldit.com)
An interesting prediction by Gartner.
“The need for computing hardware, either in a data center or on an employee‘s desk, will not go away,” Gartner said. “However, if the ownership of hardware shifts to third parties, then there will be major shifts throughout every facet of the IT hardware industry. For example, enterprise IT budgets will either be shrunk or reallocated to more-strategic projects; enterprise IT staff will either be reduced or reskilled to meet new requirements, and/or hardware distribution will have to change radically to meet the requirements of the new IT hardware buying points.”
If Gartner is correct, the shift will have serious implications for IT professionals, but presumably many new jobs would be created in order to build the next wave of cloud services.
But it’s not just cloud computing that is driving a movement toward “decreased IT hardware assets,” in Gartner’s words. Virtualization and employees running personal desktops and laptops on corporate networks are also reducing the need for company-owned hardware. (Source: InfoWorld)
Check the source link above to see other Gartner predictions.
Related articles by Zemanta
- Gartner issues its own 2012 prediction: end of IT as we know it (blogs.zdnet.com)
- 5 must-have IT management technologies for 2010 (computerworld.com)
- Microsoft, HP push businesses to clouds (news.cnet.com)
- Gartner predicts: Mobile Web overtakes PCs, Facebook wins, more outsourcing (seattletimes.nwsource.com)