| Top
Security News |
Kiwi Finds Ripe Flaw In Windows
A partially-corrected vulnerability leaves Windows users, including people running the latest version, Vista, potentially open to attack. No specifics have been discussed about the flaw revealed by Beau Butler...
Smartphone Security Concerns Slowly Arriving
A rise in threats to smartphones, as their capabilities have approached those of a typical laptop computer, looks like a credible problem in the future of mobile platforms. The potential of smartphones allows people to carry the various applications normally requiring...
Swedish Embassy Email Hacker Busted
Police hauled off Dan Egerstad for questioning over his publishing of email account information belonging to government entities. Egerstad accessed 1,000 email accounts and could see all kinds of information...
Notes: Patch Tuesday And Remote Management
The mildest patch update from Microsoft since it skipped one in March 2007 took place this week, and LANDesk launched its Gateway Appliance for managing patches and other updates for remote devices.
|
|
|
|
Computer users and custom applications created with minimal attention to security emerged as the top two attack targets favored by criminals.
The SANS Top 20 list for 2007 demonstrated a shift away from the typical focus on vulnerabilities in software products. That look at critical problems requiring attention still exists, but there is more for security pros to worry about than just patch updates.
"Facing real improvements in system and network security, the attackers now have two new prime targets that allow them to evade firewalls, antivirus, and even intrusion prevention tools: users who are easily misled and custom-built applications," SANS said in a
statement.
"This is a major shift from prior years when attackers limited most of their targets to flaws in commonly used software."
SANS illustrated a few scenarios where these trends have proven problematic for their victims. One scenario alludes to penetration of a sensitive federal agency via a spear phishing attack. The net result caused data to be sent from a chief information security officer's PC to a computer in China.
Other scenarios, based on real world events with details changed to protect identities, showed how attackers managed to place keyloggers on machines. These ranged from a major government think tank, to an individual whose father's bank account was emptied with the ill-gotten gains forwarded to suicide bomber recruiters.
Plugging a new, unprotected machine into the Internet will be a fool's errand, according to SANS. They estimate a machine will last about five minutes before being attacked, and compromised unless it has been configured securely before being connected.
Alan Paller, director of research at SANS, pointed at the rise in poorly-secured web applications as being particularly troublesome. These dynamic applications regularly connect with back-end databases that house sensitive information about the application's users.
"Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all Web applications," he said.
About
the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
|
|
,
Inc. 2549 Richmond Rd. Lexington KY, 40509
