Site News
Current section

July 30, 2010

StaffCop added!

Voting

Would you prefer to have 1 product that can fight both viruses and spyware or a specialized product for every threat?

1 multifunctional product
2 specialized products
VotingView results

September 16, 2009

Web server attacks, poor app patching make for nasty mix

A dangerous combination of a massive increase in Web server attacks and poor patching practices is a major cause of concern for experts, according to a report issued today by several security organizations.

In a groundbreaking study that matched attack trends with patching cycle data, some conclusions came as a shock, said Rohit Dhamankar, the director of security research at 3Com TippingPoint, which contributed real-world attack information -- acquired from its intrusion detection systems -- to the report.

"The sheer number of attacks against Web servers was surprising," said Dhamankar. "In terms of attack volume, they were almost 60% of all so far this year. Hackers are after a foothold in the corporate network, to conduct client-side attacks against visitors of the site, but also once they have that foothold, to gain much higher privileges and use those to also steal data."

Dhamankar pointed to the recent spread of malware from the New York Times Web site as a perfect example of the alarming increase in server attacks. Over the weekend, hackers duped the newspaper into using a malicious ad, which in turn tricked users into downloading and installing fake antivirus software. "The New York Times is a respected brand, and so it's a perfect avenue to infect lots and lots of users," he noted.

Some servers, once compromised, are even attacking other servers to pillage back-end information and to host malware fed to unsuspecting users, said Dhamankar.

The report -- which can be read on the SANS Institute's Web site -- correlated the high number of Web server attacks with another trend: poor patching practices by the Web's highest-profile third-party applications.

"Applications that are widely installed are not being patched at the same speed as the operating system," said Wolfgang Kandek, the chief technology officer of Qualys, which contributed its patching data to the study. "For Adobe Reader, Adobe Flash, Sun Java, Microsoft Office, Apple QuickTime, the patch cycles are much much slower than for operating system," he added.

That's a major problem.

"From our point of view, this is a big deal, said Kandek, speaking for security professionals in general. "There are real-life examples, where you can see attackers attacking corporate Web servers, then from there infecting client machines, until eventually a client machine is compromised that has full access to the network. Then [attackers] are stealing that corporation's data." "Attackers have realized that patching of these third-party apps is complex," added Dhamankar. "They know that a lot of people are focused on patching operating systems rather than patching applications like Flash or Reader." And thus they dig into the most widely-installed applications, looking for flaws.

The combination of hacked servers and unpatched client applications is critical. "The lack of patching opens up a huge window of vulnerabilities," Kandek acknowledged. "It shows that patching is crucial."

Adding salt to the wound, said Dhamankar and Kandek, is that while users are patching, they're patching the wrong software. While operating systems, particularly Windows, are patched by users and organizations at a relatively rapid -- and complete -- clip, the number of attacks exploiting OSes has dropped precipitously.

"Enterprises are focused on OS patching rather than on application patching," said Dhamankar. "They don't have their resources allocated properly."

Putting a stop to the threat trend won't be easy, but it is possible, argued Kandek.

"Some enterprises have patching policies in place for third-party applications, and there are industry-standard tools to do this," he said. "The technical solutions are out there. [Third-party] patching could be much better, and I see vendors being pressured to do more to integrate their patching into these tools.

"But we've done this before," Kandek continued, referring to the security situation several years ago, when Windows was the main target of attackers. Microsoft beefed up its then-OS, Windows XP, dedicated itself to writing more secure code and pushed customers to update religiously.

"That means we can do something about this, too," Kandek concluded.



Source: ComputerWorld



All news for September 18, 2009:
20:13Microsoft Internet Explorer SSL security hole lingers
20:11Conservatives call for DNA databases to be reduced
20:09McAfee warns of bogus security suite
20:08Security market remains buoyant in choppy waters
20:07The good and bad of government in the cloud
20:05Vista, Windows 7 Are More Secure than Snow Leopard
20:04Will Google's Buy of reCAPTCHA Hurt Internet Security?
20:01HHS guts health-care breach notification law, groups warn
20:00Man gets 15 months for E-Trade skimming scam
19:59Sophisticated botnet causing a surge in click fraud
19:59Microsoft sues scareware scammers
19:58Software company fined for trading with the enemy
19:58Misdirected spyware infects Ohio hospital
19:57Firefox's Flash check drives 10M to Adobe's download
19:55Microsoft, Yahoo in informal talks with EU over search deal



All news for September, 2009
All news for 2009 year

DONATION: www.anti-keylogger.org and www.keylogger.org is an independent research projects supported by a team of enthusiasts. If you find this project useful and would like to help foster its continued development, please consider making a donation.
donate

Thanks in advance for your support!