Posts Tagged ‘Web Security’

McAfee has released the Q2 Threat Report for 2009, which indicates that spam volumes have gone up by 141% since March, making this the “longest ever streak of increasing spam volumes” on record. The Q1 threat report, discussed here, indicated that cybercriminals had taken over almost 12 million new IP addresses (zombies) since January, a 50% increase over 2008. This record has now been broken: Q2 set a new record for zombie computers levels, at nearly 14 million.

In addition to spam volumes, the Q2 report looks at some new trends and threats, as well as continued trends of cybercrime as a service and cybercriminals targeting social networks. Indeed, a major attack was led against Twitter and Facebook just this week.

Key Findings from this Threat Report:

• > 14 million computers have been enslaved by cybercriminal botnets (16% increase over Q1)
• Spam has risen 80% in this quarter, over Q1, with June beating the highest ever recorded spam level
• Spam comprised 92% of all mail, also setting a new record high
• Over a 30-day period, AutoRun malware troubled more than 27 million files, making it one of the most prevalent pieces of malware in the world (with a detection rate greater than Conficker was)
• There were nearly 14 million new zombies in Q2, also a new record. Computers in the U.S., China and Brazil lead for zombie figures.

Download the Q2 Report here [PDF].

After reading a very good article recently about the importance of strong passwords, I thought I’d put together a simple post to ask – have you checked the security of your passwords lately? Are they strong enough?

The easiest way to check your password strength is to use Microsoft’s Password Checker, which will tell you if your password is strong enough. It doesn’t guarantee that your password won’t be hacked, but knowing your password is as strong as it can be is one simple step you can take to protect your personal information.

Here’s me checking one of my passwords:

If you don’t hit the ‘best’ level in the password strength meter, consider changing your password. You can follow the tips Microsoft lays out here, or read more in the article referenced above on Windows Secrets.

Last month, Canada’s Privacy Commissioner released a statement about Facebook and its compliance with Canadian privacy laws. The statement is the result of a study into allegations by the Canadian Internet Policy and Public Interest Clinic that Facebook was not complying with 24 aspects of Canada’s Personal Information Protection and Electronic Documents Act. These aspects included default privacy settings, collection and use of personal information, and disclosure of personal information to third parties. Some of the findings concluded that the allegations were not well-founded, while others were supported.

As a result of the report, Canada has released its Report of Findings and its request that Facebook strengthen its privacy protections. The press briefing included some praise for Facebook’s current privacy measures, though many areas were identified for improvement.

Areas of requested improvement include:

• Improving information about privacy practices (example: information on deactivating vs deleting an account)
• Improving safeguards that restrict outside developers from accessing unnecessary profile information
• Deleting personal information after it is no longer necessary to meet appropriate needs (to comply with Canadian law)

Facebook made some improvements to their privacy measures when provided with an interim report; they now have 30 days (from July 16) to respond to the full report.

Facebook has agreed to adopt many of the recommendations stemming from the Privacy Commissioner’s investigation or, in some cases, has proposed reasonable alternatives to the measures recommended. However, there remain a number of recommendations that Facebook has not yet agreed to implement.

The Privacy Commissioner is empowered to go to Federal Court to seek that the recommendations be enforced. So, it may be that Canada’s report helps to strengthen Facebook privacy standards for all Facebook users!

Via internet evolution

Sophos has released its mid-year Security Threat Report for 2009, which looks at cybercrime for the first half of this year. The report indicates that cybercriminals have increased the focus of their attacks on social networking sites and that hackers are increasingly using scare tactics to solicit users to pay for rogue anti-virus software.

The report indicates that cybercriminals are both exploiting social networks to identify potential victims and then using these networks to attack them. The report encourages Web 2.0 companies to defend their existing users, rather than focusing on growing their userbase at the expense of security standards.

In terms of business data, the survey indicates that two thirds of businesses are worried that information shared by employees online may put their corporate infrastructure at risk. Right now, a quarter of organizations have been exposed to spam, phishing or malware via social networking sites like Facebook, Twitter and MySpace.

Read more about, and download, the report here.

According to The Times, more than 4 million British identities and more than 40 million individuals’ identities worldwide are being offered for sale on the internet. The information available for sale includes sensitive financial information (credit card / bank details, some PINs).

This information was reportedly made available online as the result of several initiatives. From what the report indicates, at least 250,000 bank / credit accounts were hacked into. Other information was the result of phishing, a process that dupes individuals to give over their details (such as log in details or credit card details). The information was intercepted over a four-year period by a British company, Lucid Intelligence, and collated into a single database, allowing these figures to be determined for the first time:

The Lucid Intelligence database contains the records of four million Britons, and 40 million people worldwide, mostly Americans. Security experts described the database as the largest of its kind in the world.

The report from The Times indicates that other sensitive information, such as corporate email access details, is being sold in online forums or hacking websites. This puts companies at risk for data breach issues.

Individuals can search the database for free, for now, to see if their information has been sold online. It will specify what information about you is known – whether it’s just your email address, your mailing address, or more high risk information such as banking details. You can learn more about the initiative here.

It’s quite an interesting venture – what do you think about it?

According to the Cisco 2009 Midyear Security Report, internet criminals are becoming more sophisticated, using increasingly targeted attacks. However, Cisco predicts that increased collaboration between organizations, like what we saw with Conficker, and new security policies may make it more difficult for attacks to infiltrate and spread.

The Midyear Security Report provides an overview of Cisco security intelligence, including information about new threats and trends, for the first half of 2009. Highlights from the Report:

• Criminals are exploiting traditional vulnerabilities because they believe security experts and users are paying little attention to these types of threats.
• Compromising legitimate websites to propagate malware remains a highly effective technique
• Web 2.0 applications have become lures for criminals
• Criminals are now targeting online banking customers using well-designed, localized text message scams
• The Obama administration has made strengthening U.S. cybersecurity a high priority, and plans to meet threats by using technological innovations and partnering with the private sector. Other countries are following suit.
• Compared to 2008, the number of vulnerabilities and discrete threats has not risen as quickly.

Given the interest in insider threats, the report also details a possible increase in this threat given the current economic instability. This section of the report simply reiterates other studies and articles on the topic, simply providing context for what could be a growing security trend.

Download the report here.

Via eweek

Just how “secret” are your “secret questions”? You know, when you sign up for many websites, they have a password-retrieval system that allows you to use a pre-set question, or a question of your own.

Most of the time, the secret questions we tend to gravitate towards are easy – things like “What’s your mother’s maiden name?” or “What’s your pet’s name?”. We’ll remember those answers fairly easily… but others may figure them out just as easily.

Research presented by Microsoft and Carnegie Mellon University at the IEEE Symposium on Security and Privacy this week indicates that 28% of people surveyed (130 ppl surveyed) could guess the correct answers to other people’s secret questions if they “knew and were trusted” by them. For those without such a close tie, there was still a 17% chance that the answer to the question could be guessed.

“Secret questions alone are not as secure as we would like our backup authentication to be,” says Stuart Schechter, a researcher with software giant Microsoft and one of the authors of the paper. “Nor are they reliable enough that their use alone is sufficient to ensure users can recover their accounts when they forget their passwords.”

This study doesn’t even take into account a hacker who may be willing to take the time to dig up information about you! So, ask yourself, how “secret” are the answers to your questions?

Answers that require only a little personal knowledge to guess should be considered unsafe. Those questions could include “What’s your favorite sports team?” or “Where were you born?”

The study found that memorable questions still pose a risk to legitimate users. The study found that 16% of the participants forgot the answers to their secret questions 3-6 months later, if memorable, and 1 in 5 will forget all the answers to their secret questions.

Bruce Schneier, a security expert, says that he’ll often type in a random answer to a security question and will call the company if he needs to retrieve a password.

Via technology review ; Image: Clipart

The FBI and the US Marshals Service (USMS) were both forced to shut down parts of their computer networks on May 21st as a mystery virus struck. Reports today indicate the virus is believed to be Neeris, a new malware variant exploiting the same vulnerability as the Conficker worm.

Nikki Credit, a spokeswoman for the Marshals, says that multiple computers may have been infected. The infection occurred because the Marshals computer network was not running the latest version of their OS and they were missing needed anti-virus software.

“Neeris and Conficker look for missing patches. If the PCs and servers are patched, the malware doesn’t work,” John Pescatore, research director and vice president at Gartner, told SCMagazineUS.com in an email on Friday. “The patch for this has been out since October 2008.”

When the virus was detected, the IT staff at the Marshals disconnected the computers from the Justice Department’s network to prevent further spread. Anti-virus software was updated and updates were pushed to all agency computer. No data was compromised at the USMS, though they were lucky that was the case. The FBI have not provided details about their “network issue.”

The biggest step you can make in protecting your company is to always keep your software up to date. This minimizes the risk of data being unnecessarily exposed to known threats. If you have Computrace by Absolute Software, you can use it to identify which of your devices is missing the latest patch.

Via CNet, AP, SC Magazine

Robert L. Mitchell of Computerworld decided to tackle his own identity online to see just what information about himself he could dig up. After a privacy activist was able to retrieve his Social Security number, full name, address and a digital image of his signature online, Robert was both concerned and intrigued about what else could be out there.

Robert spent a few weeks combing through public and private resources (some paid) on the web to build up a dossier on himself. He spoke with everyone from private investigators to privacy experts. And in the end, Robert found that there was a vast amount of information about him online, and not all of it accurate. Many states have not taken adequate steps to redact sensitive information from the documents, such as mortgage documents, they make available to the public.

Robert put his full findings online, also breaking down the information by type of source. His first source was government records, that let him pull up his full legal name, address, Social Security number, spouse’s name and Social Security number, price paid for home, mortgage documents, and signature. Robert continued his search with free people searches, search engines, image searches, social network searches, and paid searches. And that may only be the “tip of the iceberg”, in terms of what else is easily accessible.

“Of the information available about me on the Internet, the most troubling was my Social Security number, blatantly posted online by my own county government, for the convenience of lawyers, insurance agents — and petty criminals interested in identity theft. Today, you need more than just a Social Security number to commit identity fraud, but a criminal who has that number is off to a great start.”

I was surprised to learn from this article that public records that contain Social Security numbers are not well regulated, and that if the government makes those records public, it can open that information to republishing without repercussions. You can read more about that in the call-out box at the bottom of this page. 

Robert’s search was very revealing, and certainly had him reviewing all the information available about him online. He’s taken steps to redact his Social Security number from government records online and has gone so far as to call his credit card and bank companies to test their authentication policies. In some cases, he was authenticated using this information he found online and, to his credit, he’s suggested those companies review their authentication protocols. We mostly consider identity theft the result of lost or stolen information, but this exercise shows that you may be at risk already.

Have you found your Social Security number or other sensitive information online? Let us know in the comments.

Also check out this 3D artistic representation of security threats. Makes all these horrible threats seem almost beautiful!

image: mconnors @morguefile

Qualys recently published a new report on the Laws of Vulnerabilities 2.0. The report reveals the vulnerability half-life, prevalence, persistence and exploitation for 5 industry segments. The report found that different industries are patching their systems at different speeds.

The report is based on an analysis of 680 million vulnerabilities, from 80 million scans, which resulted in 11% of those vulnerabilities being listed as “critical.” The service industry patches their system the fastest, with a half-life of 21 days (meaning 50% of all systems were patched in the first 21 days after a fix is released); Manufacturing ranked lowest at 51 days.

The 2008 data was compared against the same study done in 2003, revealing an average half-time for patching of 29.5 days, only a half a day faster than in 2003. While companies are not speeding up their patching practices, attackers are speeding up their exploits. 80% of vulnerability exploits are now available within single digit days after the vulnerability’s public release.

Check out the full Laws findings here

Also check out this interview with FBI Special Agent J. Keith Mularski, who spent 2 years posing as a cybercriminal as part of an undercover operation. Very interesting read.

Via security focus