Data theft and other online threats presently represent a significant danger for businesses in the UK. Compounding this problem is the economic downturn, which is leading many executives to cancel, defer or downsize security budgets.
Security threats are meanwhile costing UK businesses a huge amount of money. On average, the total cost of security breaches including lost business in the UK last year was $2,565,702 (US dollars). To highlight the risks facing companies today, network security specialists at Astaro have kindly compiled the following list detailing the five most serious internet security holes:
1. Browser vulnerabilities
No provider is immune to the security holes that keep appearing in web browsers. A recent example is the CSS bug that affected Internet Explorer versions 6, 7, and 8 (CVE-2010-3962). This bug targets the computers in a two-stage attack: First, the user follows an e-mail link to a web page containing malicious code. This code is then run without the user realizing it and automatically installs a trojan on the computer. The user does not need to click the mouse; simply visiting the website is enough. The only way companies can protect themselves fully from this is to refrain from using any browsers with current known security holes for as long as they remain unpatched.
2. Vulnerabilities in Adobe PDF Reader, Flash, Java
The ubiquity of tools and programs such as Adobe PDF Reader, Flash, and Java makes them highly vulnerable to attack. Although they do frequently show security holes, most providers are quick to provide patches. However, companies then have to make sure these patches are installed on all computers – which is where they often fall down. Either the IT departments are not aware of the patches, are unable to install them, or bemoan the fact that the update failed. In this case, if an employee visits a page with embedded Flash videos that launch automatically, malicious code can then be run automatically in the background.
With the user being completely unaware of it, a trojan will infiltrate the computer unnoticed, making it part of a botnet. While there are only a few Windows exploits, for instance, there is a vast number in Adobe, Java, and Flash. Flash and Java, in particular, have become veritable malware disseminators over the past few months, providing the perfect access point for trojans lurking in the background of colorful websites, which then bypass all virus scanners to become permanently ensconced on the computer. Private users should therefore never use these programs and companies should employ standard procedures or policies prohibiting their use. To prevent attacks via Flash, companies can use Flash blockers (a browser plug-in) to prevent videos from being played automatically.
3. Vulnerabilities in Web 2.0 applications
The latest web-based security holes of note tend to be new methods of attack, such as Cross-Site Scripting (XSS) or SQL Injection. The cause of the vulnerability in this case is generally inaccurate or incorrect implementation of AJAX, a method for exchanging data asynchronously between server and browser. This type of vulnerability was exploited, for example, by the MySpace worm created by the hacker known as Samy.
It was published around a year ago and allowed the hacker to swiftly obtain and access the profiles of millions of MySpace contacts. Another, more recent attack was the “on mouse over” attack on Twitter. This attack was particularly sophisticated because its authors were able to embed malicious code that disseminated itself and directed users to websites containing malware in just 140 characters and without any clicking required. All the user had to do was move the cursor over the Tweet.
There is very little users of such applications can do to protect themselves against this other than to stop using the service as soon as a security problem is made public. It is therefore the manufacturers’ responsibility to ensure that their applications are well and securely programmed – or to take the precautionary measure of protecting the data of its users with a Web Application Firewall.
4. Cell phone and smartphone data security holes
In the UK alone, there are currently more mobile phones than people. This very fact means that new data security risks are being discovered in this arena on a daily basis. For instance, there is a new generation of worms specifically targeted at smartphones (let’s call them “iWorms”). In September, it was discovered that the ZeuS botnet was specifically attacking cell phones. Using infected HTML forms on the victim’s browser, it would obtain their cell number and then send a text message containing the new malware SymbOS/Zitmo.A!tr (for “Zeus In The Mobile”) to this number. The malware, which was designed to intercept and divert banking transactions, would then install itself in the background.
Many Apple users wishing to circumvent SIM card restrictions to a specific network provider or to use applications that are unavailable through the Apple store perform a process known as jailbreaking to remove the usage and access limitations imposed by Apple. This process allows users to gain root access to the command line of their device’s operating system. The risk inherent with jailbreaking is that it makes many of the devices more vulnerable to attack; for instance, the majority of users do not change the SSH password after performing a jailbreak – this is a serious failing because Apple’s default root password “alpine” is now widely known. If the password is not changed, the device is susceptible to unauthorized third-party access.
5. Zero-day exploits in operating systems
Zero-day attack is the term given to a threat that uses vulnerabilities that are unknown to others and for which there is no patch. In other words, the manufacturer of a system first becomes aware of the vulnerability on the actual day of the attack – or even later. This gives hackers the perfect opportunity to exploit holes. This type of operating system attack is particularly dangerous because the cyber criminals have direct remote access to the affected systems.
They require no additional tools such as browsers or Java, the only requirement is that the target computer is online. There is no way to protect against zero-day exploits because patches and first-aid measures can only be published retroactively. It is not only Microsoft computers that are affected by this problem; the growing prevalence of Macs means that they are also becoming a target for zero-day attacks.