Volume 8, Number 45 -- December 16, 2008

Security Outlook Poor as 2008 Winds to Close

Published: December 16, 2008

by Alex Woodie

The state of IT security appears to be on the decline as 2008 comes to a merciful close. Microsoft just issued a massive number of patches one week ago, but it's the one patch that wasn't issued--for a zero-day flaw discovered in IE 7 just days before--that ruins the batch. Meanwhile, the global economic crises plods on as cyber pirates continue to ramp up their online schemes--events which have combined to form what IBM labeled a "perfect storm" of security threats. Happy holidays!

Microsoft released eight security patches to resolve a total of 28 vulnerabilities last week, the final monthly "Patch Tuesday" event of the year. The fixes addressed many flaws across Microsoft products, including IE and Office, and will help to protect customers from a flood of new phishing and data mining attempts. But the fixes did nothing to stop a potentially disastrous new zero-day flaw discovered in Internet Explorer 7.

Details of the new flaw, which involve IE's handling of XML, were released just a few days before the December Patch Tuesday event, and appeared to be timed to coincide with the release of the patches. The first active exploits of the IE7 flaw were reported last Monday, according to ScanSafe, a company that delivers security protection via software as a service (SaaS).

IT organizations should brace for the worst as a result of the flaw, says Mary Landesman, senior security researcher at ScanSafe. "Zero-day exploits involving any widely used software are particularly concerning. [But] when it impacts a browser as widely used as Internet Explorer, it can have serious implications," she says. "Predictably, attackers were very quick to add the IE7 exploit to their tool kit and we anticipate these attacks will escalate over the coming weeks."

Whereas much malware was distributed via e-mail previously, 2008 saw an unprecedented increase in attacks on Web sites, particularly new social networking "Web 2.0" Web sites, according to an end-of-year security report issued by Symantec's MessageLabs subsidiary.

According to MessageLabs, the daily number of new Web sites containing malware rose from 1,068 in January to its peak at 5,424 in November. Many of these sites were compromised through SQL injection techniques, and many of the attacks targeted the new wave of popular social networking sites, says Mark Sunner, chief security analyst for MessageLabs.

"Web 2.0 offers endless opportunities to scammers for distributing their malware," Sunner said. "Web 2.0 thrives on user-generated content, as do the spammers. The ability to adapt to new mediums and upload enticing content as 'snake oil' to persuade an information-hungry user to activate it, is one of the cybercriminals' strongest talents, and has made them successful in transforming deception into a fully scalable business model within the underground shadow economy."

Meanwhile, IBM announced that it would bolster the security services it offers through its Internet Security Systems subsidiary to thwart what it views as a perfect storm of security threats.

Statistics from the X-Force research arm of ISS points to a worsening of the IT security across the globe since August. Network and Web-based security events over the last 120 days have increased 30 percent at organizations that utilize ISS services. In response, ISS has seen a 40 percent increase in use of ISS' virtual operations centers among its clients, which shows that ISS customers are worried.

"We are currently in a perfect storm of security threats as businesses are cutting costs, insider threats are rising, and cybercriminals are using the ensuing confusion to create opportunities for themselves," says Val Rahmani, ISS general manager.

IBM says it will take several steps to respond to these threats. These include a new identity and access management service to be launched next year (weakness in identity management and access is responsible to 42 percent of vulnerabilities, IBM says); a new reseller program that allows partners to resell ISS security services; and free security infrastructure assessments.


Patches? We Don't Need No Stinkin' Patches: Survey

Symantec Combats Phishing with New Services Offering

Decline In Vulnerabilities Belies Threat Increase, Microsoft Says in New Security Report

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

Bleak Outlook for Information Security, According to Researchers

In Search Of a More Secure Internet

Security Attacks and Breaches on the Rise

MPack Hacker Tool Claims 10,000 Compromised Web Sites

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By

Are you still getting the best deal
on your HA/DR solution?

Before you cut another check
get a quote from *noMAX.

Enterprise or SMB, *noMAX excels.
Check our references. *noMAX is proven,
robust, reliable, easy to use and
simple to install.

Smart thinking saves you money.

It costs nothing to ask.
Contact us on 1- 888 400 1541
or email sales@maxava.com

Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

PowerTech:  Incorporating real-time security events from the System i into a security program
Safedata:  FREE White Paper - IBM iSeries Recovery Options: An Executive Guide
COMMON:  Join us at the 2009 annual meeting and expo, April 26-30, Reno, Nevada


IT Jungle Store Top Book Picks

Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95

The Four Hundred
IBM Adds Disk Storage Options for i Shops

Seasons Greetings, Happy Holidays, and Thank Heavens We All Made It

Forrester: Brace Yourself for Slow IT Growth

As I See It: The Swami Speaks

Micro Focus Snatches Relativity, Expands App Modernization

The Linux Beacon
Why Blade Servers Still Don't Cut It, and How They Might

Intel Keeps Both Arms Swinging with Xeons, Jabs with Itanium

Microsoft Ponies Up Another $100 Million for Novell Linux

Mad Dog 21/21: Newtonian Economics

Two More Xeon-Based Galaxy Servers from Sun

Big Iron
For Some Customers, the Mainframe Is Green

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Four Ways to Avoid Problems Caused by Global Data

Where's the Service Program?

Admin Alert: The Dangers of User Profiles with Privileges

System i PTF Guide
December 13, 2008: Volume 10, Number 50

December 6, 2008: Volume 10, Number 49

November 29, 2008: Volume 10, Number 48

November 22, 2008: Volume 10, Number 47

November 15, 2008: Volume 10, Number 46

November 8, 2008: Volume 10, Number 45

The Windows Observer
Citrix Addresses Performance with XenApp 5

Server Buyers Shop Like It's 1999 in the Second Quarter

Intel Keeps Both Arms Swinging with Xeons, Jabs with Itanium

Mad Dog 21/21: Newtonian Economics

Microsoft Does Something About Those SQL Injection Attacks

The Unix Guardian
What the Heck Is the Midrange, Anyway?

Overseas and Notebook Sales Offset Printer Declines for HP in Q3

Two More Xeon-Based Galaxy Servers from Sun

Mad Dog 21/21: Newtonian Economics

Intel's Nehalems to Star at IDF, AMD Pitches Shanghai

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar


Maximum Availability
Seagull Software
ARCAD Software
Twin Data

Printer Friendly Version

IBM Adds 'Rich UI' Design Tool to Rational Business Developer

Original Bolsters Support for Java, Mainframe in Testing Tool

Development Horror Stories Surface as Aldon Unveils Turkey Award Winners

Tick, Tock: mrc Unveils '24-Hour Challenge'

IBM Gives RPG Devotees Their Own Café

News Briefs and Product Shorts:

CA Enhances Web Services Interoperability in Plex 6.1 . . . Security Outlook Poor as 2008 Winds to Close . . . Video Rental Chain Taps Inovis for VAN . . . ACOM Unveils Secure Laser Check Printer . . . IBM Seeks Organic Solution to Power Systems Challenge, Global Warming . . .

Four Hundred Stuff


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement