September 2009

You are currently browsing the monthly archive for September 2009.

State of Internet Security Report

September 19, 2009 in General Information Security, Web

Websense recently released their report on the for the first half of 2009.  They have some very interesting findings which I have summarized below.

  • In the first half of 2009, 77 percent of Web sites with malicious code were legitimate sites that have been compromised. This high percentage was maintained over the past six months in part due to widespread attacks including Gumblar, Beladen and Nine Ball which aimed at compromising trusted Web properties with massive injection campaigns.
  • Web 2.0 sites allowing user-generated content are a top target for cybercriminals and spammers. Websense Security Labs found that 95 percent of comments to blogs, chat rooms and message boards are spam or malicious.
  • The “Dirty” Web is getting dirtier: 69 percent of all Web pages with content classified as objectionable (e.g. Sex, Adult Content, Gambling, Drugs) also had at least one malicious link. This is becoming even more pervasive, as 78 percent of new Web pages discovered in the first half of 2009 with objectionable content had at least one malicious link.
  • Websense Security Labs found that 37 percent of malicious Web attacks included data-stealing code, demonstrating that attackers are after essential information and data.
  • The Web continues to be the most popular vector for data-stealing attacks. In the second half of 2008 the Websense Security Labs found that 57 percent of data-stealing attacks are conducted over the Web.
  • The convergence of blended Web and email threats continues to increase. Websense Security Labs reports that 85.6 percent of all unwanted emails in circulation during the first half of 2009 contained links to spam sites or malicious Web sites.
  • In June alone, the total number of emails detected as containing viruses increased 600 percent over the previous month.

This information confirms that the Web is a dangerous place and becoming more so.  The reason is simple… money.  Criminals have figured out that the benefit from online crime is high and the cost is low.  Moreover, the chances of getting caught are slim.  Compare the crime of identity theft or credit card fraud committed via the Internet with a physical crime such as a bank robbery.  The cost of committing a crime on the Internet is low.  One can obtain ready made software on the Internet that will help you obtain credit card and other personal information with which it is possible to commit fraud.  The risk associated with this crime is very low compared to the expected payoff.   However, robbing a bank has very high costs and risks.  One could get shot or get caught and sent to prison.  And the likely payoff isn’t that great either.  The average amount of money stolen during a bank robbery is less than $5000.  This isn’t much compared with the risks.

Internet crime is a huge business.  To protect yourself, follow for using the Web safely.  Even legitimate and well known web sites can get compromised and be used to commit fraud against you.  And don’t think because you use a Mac that you are immune to these attacks.  You aren’t.  More on that in a future article.

Comments on Patch Tuesday

September 8, 2009 in Patch Management, Vulnerabilities

patchtuesday

The second Tuesday of the month is always a busy day for IT and security pros.  That, of course, is the day Microsoft releases their regular security updates.  And this month’s list of advisories reminds me how far we have to go before we get an upper hand on the bad guys who exploit vulnerabilities for a living.  Microsoft, like so many other software vendors, continues to release vulnerable software and we continue to apply patches to fix those vulnerabilities.  All the while, systems are exposed and often get compromised due to this game of reactive patch management.

Microsoft released 5 security advisories today to address 8 vulnerabilities:

  • – addresses a vulnerability in Jscript (KB 971961)
  • – addresses a vulnerability in Microsoft Windows (KB 956844)
  • – addresses a vulnerability in Microsoft Windows (KB 973812)
  • – addresses a vulnerability in Microsoft Windows (KB 967723)
  • – addresses a vulnerability in Microsoft Windows (KB 970710)

The first three patches address vulnerabilities that allow a malicious web site to compromise an unpatched machine simply by browsing the web site.  These drive-by exploits are undoubtedly already setup on rogue web servers, compromising vulnerable systems even as I write this.  Microsoft rated MS09-045 and MS09-047 as critical and MS09-046 as important.

The other two, MS09-048 and MS09-049, are more interesting and potentially more problematic.  Both of these vulnerabilities are rated as important by Microsoft, but I would not be surprised if exploits for these two end up doing more damage than the others.  The reason for this is that both of these patches address vulnerabilities in the network stack and do not require any intervention by the end user for exploitation.  This makes them good candidates for exploitation via a worm which increases the criticality of these advisories.  Microsoft believes these vulnerabilities are most likely to be exploited via a denial of service attack as it is difficult to reliably achieve remote code execution.  But denial of service attacks can be very damaging and it is not inconceivable that someone could write a exploit that can smash the stack, resulting in remote code execution.

Microsoft is not alone in releasing regular security patches and expecting us, the end users, to manage the process of performing the updates.  Apple, Adobe, Red Hat, Sun and every other software vendor does the same thing.  While I understand that software development is a complex endeavor, vendors must get better at implementing security testing and vulnerability analysis into their software development life cycle.  But until they do, keep applying those patches.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved