Archive for the ‘Web Security’ Category

Breach Security has released it’s Web Hacking Incidents Database (WHID) 2009 Bi-Annual Report, indicating that social networking sites were the most targeted market for hackers so far this year.

The data, compiled from application-related security incidents that are publicly reported, indicates that 19% of the hacks in the first half of 2009 were targeting social networking sites like Twitter and Facebook. This is the first year when social networks became an attack sector. In 2008, government was the leading sector being targeted. The data also indicates a 30% increase in overall web attacks compared to the first half of 2008.

“The dramatic rise in attacks against social networking sites this year can primarily be attributed to attacks on popular new technologies like Twitter, where cross-site scripting and CSRF worms were unleashed,” said Ryan Barnett, director of application security research for Breach Security. “Looking back at 2008, a notable election year, government-related organizations were the top-ranked attack victims and have now dropped to number three. The WHID report demonstrates that hackers can be fickle, following popular culture and trends to achieve the most visible effect for their efforts, which means that companies must be vigilant in implementing web application systems and monitoring application activity.”

Download a copy of the report here.

Also making major news right now is the indictment of Albert Gonzalez on charges of hacking into the Heartland Payment Systems. Gonzalez is already awaiting trial over his involvement in the TJX hack, putting him as part of the hacking team behind two of the largest hacker-based breaches in history. Read more here.

McAfee has released the Q2 Threat Report for 2009, which indicates that spam volumes have gone up by 141% since March, making this the “longest ever streak of increasing spam volumes” on record. The Q1 threat report, discussed here, indicated that cybercriminals had taken over almost 12 million new IP addresses (zombies) since January, a 50% increase over 2008. This record has now been broken: Q2 set a new record for zombie computers levels, at nearly 14 million.

In addition to spam volumes, the Q2 report looks at some new trends and threats, as well as continued trends of cybercrime as a service and cybercriminals targeting social networks. Indeed, a major attack was led against Twitter and Facebook just this week.

Key Findings from this Threat Report:

• > 14 million computers have been enslaved by cybercriminal botnets (16% increase over Q1)
• Spam has risen 80% in this quarter, over Q1, with June beating the highest ever recorded spam level
• Spam comprised 92% of all mail, also setting a new record high
• Over a 30-day period, AutoRun malware troubled more than 27 million files, making it one of the most prevalent pieces of malware in the world (with a detection rate greater than Conficker was)
• There were nearly 14 million new zombies in Q2, also a new record. Computers in the U.S., China and Brazil lead for zombie figures.

Download the Q2 Report here [PDF].

After reading a very good article recently about the importance of strong passwords, I thought I’d put together a simple post to ask – have you checked the security of your passwords lately? Are they strong enough?

The easiest way to check your password strength is to use Microsoft’s Password Checker, which will tell you if your password is strong enough. It doesn’t guarantee that your password won’t be hacked, but knowing your password is as strong as it can be is one simple step you can take to protect your personal information.

Here’s me checking one of my passwords:

If you don’t hit the ‘best’ level in the password strength meter, consider changing your password. You can follow the tips Microsoft lays out here, or read more in the article referenced above on Windows Secrets.

A guest author at InformIT has put together a list of 12 tips to consider when securing your small business wireless network. The list was put together by Eric Geier, author of WiFi Hotspots: Setting Up Public Wireless Internet Access, a book released as part of the Networking Technology Series from Cisco Press.

The recommended 12 steps to a secure small business wi-fi network are:

1. Use WPA Encryption — preferably WPA2
2. Use the Enterprise version of WPA/WPA2
3. Secure Ethernet Ports
4. Use Extra Encryption (VPNs)
5. Don’t Connect to Other Networks
6. Separate Traffic with VLANs
7. Secure Shared Folders and NAS Devices
8. Verify Firewalls
9. Use MAC Address Filtering
10. Disable SSID Broadcasting
11. Keep Hardware Updated
12. Keep Wi-Fi Signals Contained

Learn more about these 12 steps here

Last month, Canada’s Privacy Commissioner released a statement about Facebook and its compliance with Canadian privacy laws. The statement is the result of a study into allegations by the Canadian Internet Policy and Public Interest Clinic that Facebook was not complying with 24 aspects of Canada’s Personal Information Protection and Electronic Documents Act. These aspects included default privacy settings, collection and use of personal information, and disclosure of personal information to third parties. Some of the findings concluded that the allegations were not well-founded, while others were supported.

As a result of the report, Canada has released its Report of Findings and its request that Facebook strengthen its privacy protections. The press briefing included some praise for Facebook’s current privacy measures, though many areas were identified for improvement.

Areas of requested improvement include:

• Improving information about privacy practices (example: information on deactivating vs deleting an account)
• Improving safeguards that restrict outside developers from accessing unnecessary profile information
• Deleting personal information after it is no longer necessary to meet appropriate needs (to comply with Canadian law)

Facebook made some improvements to their privacy measures when provided with an interim report; they now have 30 days (from July 16) to respond to the full report.

Facebook has agreed to adopt many of the recommendations stemming from the Privacy Commissioner’s investigation or, in some cases, has proposed reasonable alternatives to the measures recommended. However, there remain a number of recommendations that Facebook has not yet agreed to implement.

The Privacy Commissioner is empowered to go to Federal Court to seek that the recommendations be enforced. So, it may be that Canada’s report helps to strengthen Facebook privacy standards for all Facebook users!

Via internet evolution

Sophos has released its mid-year Security Threat Report for 2009, which looks at cybercrime for the first half of this year. The report indicates that cybercriminals have increased the focus of their attacks on social networking sites and that hackers are increasingly using scare tactics to solicit users to pay for rogue anti-virus software.

The report indicates that cybercriminals are both exploiting social networks to identify potential victims and then using these networks to attack them. The report encourages Web 2.0 companies to defend their existing users, rather than focusing on growing their userbase at the expense of security standards.

In terms of business data, the survey indicates that two thirds of businesses are worried that information shared by employees online may put their corporate infrastructure at risk. Right now, a quarter of organizations have been exposed to spam, phishing or malware via social networking sites like Facebook, Twitter and MySpace.

Read more about, and download, the report here.

According to The Times, more than 4 million British identities and more than 40 million individuals’ identities worldwide are being offered for sale on the internet. The information available for sale includes sensitive financial information (credit card / bank details, some PINs).

This information was reportedly made available online as the result of several initiatives. From what the report indicates, at least 250,000 bank / credit accounts were hacked into. Other information was the result of phishing, a process that dupes individuals to give over their details (such as log in details or credit card details). The information was intercepted over a four-year period by a British company, Lucid Intelligence, and collated into a single database, allowing these figures to be determined for the first time:

The Lucid Intelligence database contains the records of four million Britons, and 40 million people worldwide, mostly Americans. Security experts described the database as the largest of its kind in the world.

The report from The Times indicates that other sensitive information, such as corporate email access details, is being sold in online forums or hacking websites. This puts companies at risk for data breach issues.

Individuals can search the database for free, for now, to see if their information has been sold online. It will specify what information about you is known – whether it’s just your email address, your mailing address, or more high risk information such as banking details. You can learn more about the initiative here.

It’s quite an interesting venture – what do you think about it?

According to the Cisco 2009 Midyear Security Report, internet criminals are becoming more sophisticated, using increasingly targeted attacks. However, Cisco predicts that increased collaboration between organizations, like what we saw with Conficker, and new security policies may make it more difficult for attacks to infiltrate and spread.

The Midyear Security Report provides an overview of Cisco security intelligence, including information about new threats and trends, for the first half of 2009. Highlights from the Report:

• Criminals are exploiting traditional vulnerabilities because they believe security experts and users are paying little attention to these types of threats.
• Compromising legitimate websites to propagate malware remains a highly effective technique
• Web 2.0 applications have become lures for criminals
• Criminals are now targeting online banking customers using well-designed, localized text message scams
• The Obama administration has made strengthening U.S. cybersecurity a high priority, and plans to meet threats by using technological innovations and partnering with the private sector. Other countries are following suit.
• Compared to 2008, the number of vulnerabilities and discrete threats has not risen as quickly.

Given the interest in insider threats, the report also details a possible increase in this threat given the current economic instability. This section of the report simply reiterates other studies and articles on the topic, simply providing context for what could be a growing security trend.

Download the report here.

Via eweek

Symantec recently released a ranking of which countries are responsible for most of the world’s cybercrime. Countries with high rates of high-speed Internet connections rank the highest on the list, as we’d expect, with the top 3 countries being the US, China and Germany.

Symantec put together this list by looking at malicious code, spam zombies, number of websites hosting phishing sites, number of bot-infected computers controlled by criminals, and country of attack initiation. The study investigated data for 2008 to come up with this list.

Top 10 Countries with Most Cybercrime

1. United States - 23% share of malicious computer activity
2. China - 9% share of malicious computer activity
3. Germany - 6% share of malicious computer activity
4. Britain - 5% share of malicious computer activity
5.  Brazil – 4% share of malicious computer activity
6. Spain - 4% share of malicious computer activity
7. Italy - 3% share of malicious computer activity
8. France - 3% share of malicious computer activity
9. Turkey - 3% share of malicious computer activity
10. Poland – 3% share of malicious computer activity

As you can see, the US accounts for some 23% of the world’s malicious computer activity. That’s a big jump from those countries ranked lower on the list, with the US leading the way on nearly all of the malicious activities tracked by Symantec.

If you download the latest Spam Intelligence report, which looks at spam in the second quarter of 2009, you’ll see that overall levels of spam are on the rise. Malicious websites are also on the rise, with 67% more malicious websites blocked per day in June vs May of this year.

Via businessweek / Image: ppdigital @morguefile

Just how “secret” are your “secret questions”? You know, when you sign up for many websites, they have a password-retrieval system that allows you to use a pre-set question, or a question of your own.

Most of the time, the secret questions we tend to gravitate towards are easy – things like “What’s your mother’s maiden name?” or “What’s your pet’s name?”. We’ll remember those answers fairly easily… but others may figure them out just as easily.

Research presented by Microsoft and Carnegie Mellon University at the IEEE Symposium on Security and Privacy this week indicates that 28% of people surveyed (130 ppl surveyed) could guess the correct answers to other people’s secret questions if they “knew and were trusted” by them. For those without such a close tie, there was still a 17% chance that the answer to the question could be guessed.

“Secret questions alone are not as secure as we would like our backup authentication to be,” says Stuart Schechter, a researcher with software giant Microsoft and one of the authors of the paper. “Nor are they reliable enough that their use alone is sufficient to ensure users can recover their accounts when they forget their passwords.”

This study doesn’t even take into account a hacker who may be willing to take the time to dig up information about you! So, ask yourself, how “secret” are the answers to your questions?

Answers that require only a little personal knowledge to guess should be considered unsafe. Those questions could include “What’s your favorite sports team?” or “Where were you born?”

The study found that memorable questions still pose a risk to legitimate users. The study found that 16% of the participants forgot the answers to their secret questions 3-6 months later, if memorable, and 1 in 5 will forget all the answers to their secret questions.

Bruce Schneier, a security expert, says that he’ll often type in a random answer to a security question and will call the company if he needs to retrieve a password.

Via technology review ; Image: Clipart