Security industry faces attacks it cannot stop

By Robert McMillan
March 11, 2010 06:14 PM ET
IDG News Service –  At the RSA Conference in San Francisco last week, security vendors pitched their next generation of security products, promising to protect customers from security threats in the cloud and on mobile devices. But what went largely unsaid was that the industry has failed to protect paying customers from some of today’s most pernicious threats.
The big news at the show had to do with the takedown of the Mariposa botnet — a massive network of hacked computers that has infected half of the Fortune 100 companies. So-called advanced persistent threat (APT) attacks, such as the one that compromised Google systems in early December, were another hot topic.
Both Mariposa and the Google attacks illustrate the same thing, however. Despite billions of dollars in security spending, it’s still surprisingly hard to keep corporate networks safe.
That’s because for these advanced attacks to work, the bad guys need to find only one vulnerability in order to sneak their malicious software onto the target network. Once they get a foothold, they can break into other computers, steal data, and then move it offshore. The good guys have to be perfect — or at least very quick about spotting intrusions — to keep APT threats at bay.
Traditional security products are simply not much help against APT attacks, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. “All of the victims we’ve worked with had perfectly installed antivirus,” he said. “They all had intrusion detection systems and several had Web proxies scan content.”
The problem is that the bad guys can buy this technology too, and test and re-test their attacks until they slip through. “Anybody can download and try every single antivirus engine against their malware before they ship it,” Stamos said.
Emphasizing this point, antivirus testing company NSS Labs created a variation on the known Internet Explorer 6 attack, used in the Google incident, and tested it against seven popular antivirus products. NSS also tested the original attack code against the same antivirus products. The tests, conducted two weeks after the bug was made public, found that only McAfee’s antivirus product stopped the new variant of the attack.
One company, AVG, didn’t even stop the original attack, according to NSS. Eset, Kaspersky, Symantec, Sophos, AVG and Trend Micro all failed to block a variant of the Aurora exploit.
But AVG said in response that its products detect the Aurora attack. A spokesman said the results were due to flaws in NSS’s testing methodology. However, the company does not dispute the claim that its product failed to detect variants of Aurora.
IDG News Service –  At the RSA Conference in San Francisco last week, security vendors pitched their next generation of security products, promising to protect customers from security threats in the cloud and on mobile devices. But what went largely unsaid was that the industry has failed to protect paying customers from some of today’s most pernicious threats. Continue reading

Internet Explorer Flaw Implicated in Chinese Attacks

A bug in the browser was a key part of recent attacks by Chinese hackers.
By Erica Naone

George Kurtz, CTO of McAfee Security, revealed new details of the recent attack on Google and other companies in a blog post this afternoon. A “zero-day” bug–a previously undiscovered vulnerability–in Microsoft’s Internet Explorer browser seems to have been a key part of the attack.

The attack on Google’s infrastructure, which Kurtz calls “Operation Aurora,” was able to steal some of the Web giant’s intellectual property, apparently in the process of pursuing access to the e-mail accounts of Chinese human-rights activists. Google has said that the same attack hit at least 20 other large companies. Continue reading

Is Your Programmer or Network Admin A Hacker? Better Ask!

With the large number of hackers and the increasing threat from overseas hackers, more and more business are at risk for attack and exploitation. There are many types of hackers and certainly many degrees of intent and purpose. The majority of hackers are usually programmers and network security specialists, who likely have a day job under the guise of the 9-to-5 John Doe. Your business could be vulnerable to attack from internal sources as well as external. The question remaining to present to your programmers and network administrators: “Is anyone here a skilled hacker?” Continue reading

crossdomain.xml Policy File Issues With Flash Player

Does your Flash movie stop working because your links need the crossdomain.xml file, but you can’t place it at the root level?  The crossdomain.xml file can be relocated to non-root locations, and that location can be defined in your Flash movie. The code is at the bottom of this article, and below is some expert advice on Flash security and cross site request forgery issues you must understand to protect your site.

When an attempt is made to load content into a SWF file at runtime, the request is subject to the Flash Player security model, which is in place to protect users and website owners. As part of this model, Flash Player by default prevents cross-domain loading of data, but allows cross-domain sending of data.

This security model was set up to parallel the default settings provided in most web browsers. Flash Player does, however, allow you to make exceptions by placing a cross-domain policy file on the server where the content is stored. Cross-domain policy files are a Flash Player security control that you can use to enable data loading between domains. This powerful functionality allows Flash- and Flex-based rich Internet applications (RIAs) to exchange information in ways that are not possible in applications built with AJAX, DHTML, or JavaScript.

This article discusses some of the common security issues that you should consider when deciding how to use a cross-domain policy file on your server. In general, websites using cross-domain policy files increase their security exposure. This is because the cross-domain policy file used by Flash Player allows access to information by more domains than are allowed in the default configuration. As with any security mechanism, use of the cross-domain policy requires careful analysis of the proposed application architecture and threat model to understand potential risks.

Note: Using a cross-domain policy file could expose your site to various attacks. Please read this document before hosting a cross-domain policy. Continue reading

An Overview of Web Application Security

With the web and business web sites accessible by everyone (including malicious hackers) the security of your web application is at the top of the list of security issues on experienced PHP web developers’ minds. Lets look at some security concerns of PHP Security Developers, and what they can do to make their web applications more secure.

With more and more personal information — such as credit card information, maiden names, passwords, etc. — being stored on the web, any developer(especially a PHP developer) cannot afford to be lax about application security. The most secure website is one that does not have any PHP or CGI or even HTML. But then it would not be a website at all, would it Continue reading

The Five Phase Approach of Malicious Hackers

Hackers typically approach an attack using five common phases. It is important to understand these phases of hacking attacks in order to better defend against them. Here we’ll discuss the five hacker phases to better understand them and how they relate to each other. This information is useful for network administrators, and essential for network security consultants. Continue reading

Preventing spamBots From Harvesting or Scraping Email Addresses From Web Pages

Spam has become a worldwide epidemic, and prevention is the current focus. A day will come when a cure is sought more aggressively than a bandage, but for now companies are making tons of money selling us filters and spam prevention kits. Our approach at the PHP Kemist is to byte back with encrypted or obfuscated email addresses that spamBots cannot scrape or harvest from your web pages. Continue reading

Simple Office Security Tips: Data And Network Security

As a business owner, risks are a given. Operational risks. Management risks. Privacy risks. All of these risks are intensified when you leave the office, says Victoria Fodale, Program Manager/Analyst, for Scottsdale, Ariz.-based research firm In-Stat. “The small business owner is mobile a lot of the time. They probably carry a PDA or a smart phone or a notebook that contains business-critical information,” she explains. “But being mobile can become a liability if this information is lost or stolen.” You can minimize your risks, however, by following a few simple tips, detailed below. Continue reading

Defend Your Business With A Firewall

Broadband services and the ability to work remotely may have huge benefits when it comes to productivity. But without proper protection they leave you and your network exposed to a variety of incursions. Denial of Service attacks, for example, can deprive you of access to a resource such as your network, e-mail or your website and can destroy files and programming on your computer systems. A Trojan Horse on the other hand is a piece of programming that sneaks onto your system and lurks until it’s triggered by a date or event, at which time it activates and destroys files or creates a back door for intruders to enter. Attacks such as these can cost you a considerable amount of time and money. However they can be avoided by installing a firewall across your systems. Continue reading