It's September, so it's time for Internet security companies to release their annual reports and surveys about the threats seen in the first six months of the year. The reports from IBM, Arbor Networks (free registration required), and Symantec (in PDF) each looked at different areas of the Internet in specific but generally found that botnets are on the rise, and that the tools used for attack have gone professional with less noise from mere amateurs. Two of the reports went to find the top three vendors most affected by newly disclosed vulnerabilities were Microsoft, Apple and Oracle, that the United States hosts the most spam-related Web sites, and the sites most-often phished were financial sites.
Arbor Network reported that botnets, at 29 percent, has replaced denial-of-service attacks, at 24 percent, as the No. 1 threat among its respondents. The ISPs contacted by Arbor Networks for their survey also report that the number of professional denial-of-service attacks have increased markedly over "amateur" attacks. The attacks seem to be targeting specific industries, a finding echoed by Symantec and IBM.
In the first half of 2007, the IBM survey showed a total of 3,273 software vulnerabilities, a 3.3 percent increase over the same period in 2006. Oddly, Symantec showed only 2,461 vulnerabilities, and reported that figure was 3 percent less than during the same period in 2006. The differences between reports can be accounted for by the methodologies used by IBM and Symantec to categorize vulnerabilities and the specific vendors they include in that count; for example, Symantec didn't track the Oracle operating system in its report.
The IBM report showed January was the busiest month for reporting new vulnerabilities with 600 disclosed. January 15 to 21 was the busiest week, responsible for 149 vulnerabilities. IBM also said the top three vendors reporting the most vulnerabilities were Microsoft, Apple and Oracle; together they accounted for 12.6 percent of the total. Symantec said that Microsoft reduced its time-to-patch from 21 days in December to only 18 at the end of July, while Apple only reduced its time-to-patch from 49 days in December to 43 days at the end of July. Symantec did not track Oracle in its report. IBM also noted that an amazing 21 percent of the Microsoft, Apple and Oracle vulnerabilities remained unpatched at the end of July.
On the subject of spam, IBM reported that the United States, Poland and Russia were responsible for most of the world's spam content. Symantec said the top three spam producers were the U.S., "undetermined" EU countries, and China. IBM said the U.S. alone accounts for one-eighth of all spam traffic, and hosts more than one-third of all spam-related Web sites, results similar to those found by Symantec.
IBM also said the U.S. hosts almost half of all the phishing sites located in the United States; again, Symantec's results were similar. Of the phishing sites, 9 of the 10 listed by IBM were financial, a finding shared by Symantec. IBM also reported that pornographic Web sites constitute 9 percent of all the Web sites. The U.S. remains host to a majority of sites focused on violence, crime, pornography, sex, computer crime and illegal drugs. This is unchanged from 2006.
When creating a broad forum or social-networking site like Facebook, deciding what, if any, content should be prohibited is always a difficult decision. Pornography and unauthorized copyrighted material are usually forbidden, but any other restrictions will often spark calls of censorship and accusations that the forum infringes on the freedom of speech guaranteed under the U.S. Constitution. In reality, the constitution doesn't dictate what must be allowed in these circumstances, just as you are permitted to make certain subjects off-limits in your own home. Despite the fact that there is no constitutional issue, there is a perception of one, and the concerns about censorship are very real and do have merit.
Lately, Facebook has been dealing with a growing controversy surrounding one of its groups. F**k Islam has more than 800 members, has generated almost 20,000 wall posts, and sparked a number of similar groups in addition to a host of groups built around their opposition to the group's existence. The debate has recently spilled into The New York Times. ... Read more
According to a post Monday on the Washington Post's "Security Fix" blog, AOL's password system may not be quite as secure as it would have you believe. A tipster e-mailed blog author Brian Krebs to say that even though AOL allows your password to be 16 characters long, it only counts the first eight. This could spell bad news for AOL members who might not choose their passwords wisely--namely, those who might include their usernames in them.
"Let's take a fictional AOL user named Bob Jones, who signs up with AOL using the user name BobJones," Krebs wrote in his post. "Bob--thinking himself very clever--sets his password to be BobJones$4e?0...even though Bob thinks he created a pretty solid 13-character password--complete with numerals, non-standard characters, and letters--the system won't read past the first eight characters of the password he set, which in this case is exactly the same as his user name. Bob may never be aware of this."
But even though the Washington Post blog has certainly raised the profile of the potential password flaw, it's not necessarily anything new. As one commenter on the post writes, "it's an old, well-known, well-documented underlying issue in the one-way hashing function crypt() once used by UNIX (among other) systems for passwords."
AOL representatives did not immediately respond to requests for comment.
I often joke about the reputation we analysts have for wild hyperbole and speculation but I also realize that some of this well deserved. For example, one frequent analyst diatribe is the "technology X is dead" rap. Point to some technology and become the industry beacon who foretells its demise. Someone resurrects this tired strategy every few years.
The latest version of this old analyst song is that "antivirus is dead." The theory states that new threats are simply too fast, stealthy, and targeted for tried-and-true antivirus software from vendors like McAfee, Symantec, and Trend Micro. After all, antivirus software operates on an a posteriori model where antivirus vendors find malicious code in the wild, develop software signature defenses, and then distribute these signatures to customers. The "antivirus is dead" crowd believes that this model can no longer keep up.
As a member of the brotherhood of industry analysts, I apologize to the world for this soundbite-focused oversimplification. Indeed, antivirus is not dead but like other security technologies its role has changed. Like other IT categories, client security depends upon a layered "defense in depth" model. There is still plenty of pedestrian malware out there that antivirus software is perfectly capable of addressing. Yes, there are other more ominous threats as well which is why desktop software vendors now provide intrusion prevention heuristics as part of their security suites. In other words, add another layer of protection to enhance security and protect against another type of threat. In its simplest form this description categorizes all security strategies.
Saying antivirus software is dead is like saying that airbags made seatbelts obsolete. In fact, airbags simply made seatbelts a part of an overall safety system and thus enhanced automotive safety.
Finally, can someone please introduce me to the analyst who proclaimed that "mainframes are dead" back in 1990 or so? Even after all of these years, I doubt that anyone would own up to such a ridiculous and wildly inaccurate assertion.
- prev
- 1
- next
