fhs
Volume 8, Number 17 -- April 29, 2008

Decline In Vulnerabilities Belies Threat Increase, Microsoft Says in New Security Report

Published: April 29, 2008

by Alex Woodie

Despite a 15 percent decline in new security vulnerability disclosures during the second half of 2007, cybercriminals continued to successfully mine the Internet for profit, primarily by planting Trojan horses and other pieces of malicious code that steal people's identities and perform other works of unpleasantness. These are the conclusions of Microsoft's latest Security Intelligence Report (SIR), which it released at the Infosecurity Europe 2008 conference in London yesterday.

Since late 2006, Microsoft has been collecting security-related data it pulls from 450 million computers around the world--perhaps yours--and compiling it into a comprehensive view of IT security, with a concentration on software vulnerabilities, exploits, malicious code, and another category called "potentially unwanted software."

From July through December 2007, Microsoft witnessed a sudden turnaround in the prevalence of new security vulnerabilities, (per the Common Vulnerability Scoring System (CVSS) method. After several years of increasing vulnerabilities, the number of new vulnerabilities suddenly dropped by 15 percent from the year before to 2005 levels, leaving 2006 to likely be the high-water mark for vulnerabilities during the current Internet epoch. Those findings largely mesh with the findings of another security report issued by IBM's Internet Security Systems' Team X-Force, which found a 5 percent decline in vulnerabilities in 2007.

However, even as vulnerabilities in system and application software declines, Microsoft's security researchers found the prevalence of malware and cybercrime increased during the second part of 2007. The number of Trojan downloaders--pieces of malware that are planted on Web pages or in e-mail messages that allow hackers to surreptitiously install other, more sophisticated pieces of malware on victims' computers--increased by 300 percent.

Microsoft also reports that it found a 66.7 percent increase in the number of potentially unwanted software, which Microsoft defines as programs that may impact user privacy or security by performing actions the person may not want. A total of 129.5 million pieces of potentially unwanted software were found on users' systems during scans from July to December.

Financial gain by organized crime is driving the latest increase in security concerns, according to Microsoft. "This latest volume supports our position that today's threats continue to be motivated by monetary gain, and it also gives us a solid view of vulnerability and exploit trends," says Vinny Gullotto, general manager of the Microsoft malware protection center.

These criminal organizations are becoming more sophisticated in their use of infected networks of computers, called botnets, and the spam e-mail that these computers generate to try to lure new victims to malicious Web sites, which is also called phishing. Microsoft noted the botnet handlers have become quite adept at adapting their spam pitches to play on basic human instincts like fear, guilt, desire, empathy, and sex, as well as current events. For example, the Storm botnet, perhaps the most infamous malicious network, got its name from an e-mail subject line used as it ramped up its campaign in January 2007: "230 dead as storm batters Europe." Click on the link, however, and your computer becomes just another drone in the botnet army.

In the end, Microsoft's findings highlight the need for more security education. These include the basic "duh" activities: activate a firewall, install and update antivirus and anti-malware software, and don't click on suspicious e-mail subject lines.

In the data center, good security practices means something else. While vulnerabilities, exploits, and compromises gain headlines, only a quarter of security breaches are due to exploits, malware, and hacking. The vast majority of breaches are the result of the absence or failure of proper information handling or physical security procedures, such as lost or stolen laptops or backup tapes. For data center personnel, better security policies and encryption are the keys to better security.


RELATED STORIES

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

Bleak Outlook for Information Security, According to Researchers

In Search Of a More Secure Internet

Security Attacks and Breaches on the Rise

MPack Hacker Tool Claims 10,000 Compromised Web Sites


                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
GUILD COMPANIES

Internet Programming for AS/400, iSeries & System i

Available NOW from the IT Jungle Bookstore

This guide from author Hideyuki Yahagi, an IBM Certified IT Specialist
with Internet and open source programming expertise, is suited for
programmers with traditional skills who want to quickly learn to use
the built-in Web serving capabilities of the System i.

Progressing from basic to advanced, this tutorial includes
programming tips, snippets of sample code, and a CD.

Price: $49.95
Buy Now!
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

ARCAD Software:  Register now for May 21 Practical Test Automation Webinar
LANSA:  It's Time for 4 days of education at the LANSA User Conference, May 4 – 7, in Orlando
Vision Solutions:  A Rewind Button for i5 Data? Read the Whitepaper
 

IT Jungle Store Top Book Picks

Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
IBM's Power Systems Sales Plan and Various Gotchas

Power Systems Performance: First Up, SAP BI Data Mart

PowerVM: The i Hypervisor Is Not Hidden Anymore

As I See It: That Competitive Bug

IBM Chases HP and Sun Unix Shops with Power Rewards

The Linux Beacon
Canonical Launches Ubuntu 8.04 with Long Term Support

Novell Puts Out JEOS Beta, Starts Appliance Effort

Server Makers Start Shipping Barcelona Boxes

The X Factor: Everybody Wants Citrix Systems?

IBM's Q1 Driven by Mainframes, Unix, Services, and the Weak Dollar

Big Iron
IBM's Q1 Driven by Mainframes, Unix, Services, and the Weak Dollar

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
A Recycle Bin for the IFS (Sort Of)

Performance Advice from a Mysterious Friend, Part 6

What is INZSYS, and Why Should I Care?

System i PTF Guide
April 19, 2008: Volume 10, Number 16

April 12, 2008: Volume 10, Number 15

April 5, 2008: Volume 10, Number 14

March 29, 2008: Volume 10, Number 13

March 22, 2008: Volume 10, Number 12

March 15, 2008: Volume 10, Number 11

The Windows Observer
Dynamics CRM Online Is Now Online

Decline In Vulnerabilities Belies Threat Increase, Microsoft Says in New Security Report

Ballmer Downplays Yahoo's Financial Results

Intel Profits Hit, AMD Books a Loss in Recent Quarters

Server Makers Start Shipping Barcelona Boxes

The Unix Guardian
IBM Chases HP and Sun Unix Shops with Power Returns

Intel Profits Hit, AMD Books a Loss in Recent Quarters

IBM's Q1 Driven by Mainframes, Unix, Services, and the Weak Dollar

The X Factor: Everybody Wants Citrix Systems?

IBM Expands VIP to All Systems for Precision Sales

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

Bytware
looksoftware
Solidcore
Cosyn
Guild Companies


Printer Friendly Version


TABLE OF CONTENTS
Vision Moves Product and Business Plans Forward

CYBRA Goes for i's Funny Bone with 2K, the 2,000 Year Old Programmer

Virtual Server Sprawl Reeled In with Tideway Foundation 7.1

Aldon's Lifecycle Management Suite Ready for RDi

Varsity Debuts Preconfigured Shipping Software for JDE World

News Briefs and Product Shorts:
VAI Hooks Into UPS Delivery Route Planning Software . . . Sage Adds CRM to Accpac ERP Suite . . . Australian Importer Standardizes on Lawson M3 . . . Bally Technologies Bets on Quadrant for Document Management . . . Decline In Vulnerabilities Belies Threat Increase, Microsoft Says in New Security Report . . .

Four Hundred Stuff

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement