- Category: March 2011
I just read a comprehensive article written by Markus Hennig, Chief Technology Officer at Astaro, on how to avoid Internet security holes and would like to share with you his key points.According to him employees may not fully understand the vulnerabilities online and unknowingly trigger unwanted security breaches, leaving enterprises with a high cost of repairing and replacing systems. He further believes that the rise of the Internet and online communication methods in Asia pose even higher risks of Internet security threats than expected. So, take a look at his list of five fundamental internet security holes to gain an overview:
1. Security hole - Browsers
Security holes keep appearing in web browsers as for instance with the CSS bug that infected Internet Explorer by targeting computers in a two-stage attack: first, the user follows an email link to a web page containing malicious code, which automatically installs a Trojan on the computer. The user does not even need to click the mouse, but just by simply visiting the website they can be infected. Any other browsers with the current known security holes can be harmed in the same way.
2. Security hole - Adobe PDF Reader, Flash, Java
The ubiquity of tools and programs such as Adobe PDF Reader, Flash, and Java makes them highly vulnerable to attack, although providers are quick to provide counter measures. Companies, however, have to then ensure that these patches are installed on all of their computers – which are where they often fall down. Either the IT departments are not aware of the corrections, are unable to install them, or bemoan the fact that the update failed. In this case, if an employee visits a page with embedded Flash videos that launch automatically, malicious code can then be run automatically in the background. With the user being completely unaware of it, a Trojan can get a chance to infiltrate the computer unnoticed, making it part of a botnet. Flash and Java, in particular, have become veritable malware disseminators over the past few months, providing the perfect access point for Trojans lurking in the background of colourful websites, which then bypass all virus scanners to become permanently ensconced on the computer. To prevent attacks via Flash, companies can use Flash blockers (a browser plug-in) to prevent videos from being played automatically.
3. Security hole - Web 2.0 applications
The latest web-based security holes of note tend to be new methods of attack, such as Cross-Site Scripting (XSS) or SQL Injection. The cause of the vulnerability in this case is generally inaccurate or incorrect implementation of AJAX, a method for exchanging data asynchronously between server and browser. This type of vulnerability was exploited, for example, by the MySpace worm attack around a year ago, which allowed the hacker to swiftly obtain and access the profiles of millions of MySpace contacts. Another, more recent attack was the “on mouse over” attack on Twitter. This attack was particularly sophisticated because its authors were able to embed malicious code that disseminated itself and directed users to websites containing malware in just 140 characters and without any clicking required. All the user had to do was move their cursor over the Tweet and any protection was out of his hand. Actually, it is the manufacturers’ responsibility to ensure that their applications are well and securely programmed and that a precautionary measure of protecting the data of its users with a Web Application Firewall is in place.
4. Security hole - Cell phone and smartphone data
There are a huge number of cell phone users in Asia, with smartphones gaining popularity. In Singapore alone, there are currently three phones for every two people, so it is no surprise new data security risks are being discovered in this arena on a daily basis. For instance, there is a new generation of worms specifically targeted at smartphones (let’s call them “iWorms”). Recently, it was discovered that the ZeuS botnet was specifically attacking cell phones. Using infected HTML forms on the victim’s browser, it would obtain their cell number and then send a text message containing the new malware SymbOS/Zitmo.A!tr (for “Zeus In The Mobile”) to this number. The malware, which was designed to intercept and divert banking transactions, would then install itself in the background.
Many Apple users wishing to circumvent SIM card restrictions to a specific network provider or to use applications that are unavailable through the Apple store perform a process known as jailbreaking to remove the usage and access limitations imposed by Apple. This process allows users to gain root access to the command line of their device’s operating system. The risk inherent with jailbreaking is that it makes many of the devices more vulnerable to attack; for instance, the majority of users do not change the SSH password after performing a jailbreak – this is a serious failing because Apple’s default root password “alpine” is now widely known. If the password is not changed, the device is susceptible to unauthorized third-party access.
5. Security holes – unknown vulnerabilities
Zero-day attack is the term given to a threat that uses vulnerabilities that are unknown to others and for which there is no patch. In other words, the manufacturer of a system first becomes aware of the vulnerability on the actual day of the attack or even later, which gives hackers the perfect opportunity to exploit such holes. This type of operating system attack is particularly dangerous because the cyber criminals have direct remote access to the affected systems. They require no additional tools such as browsers or Java, the only requirement is that the target computer is online. There is no way to protect against zero-day exploits because patches and first-aid measures can only be published retroactively. It is not only Microsoft computers that are affected by this problem; the growing prevalence of Macs means that they are also becoming a target for zero-day attacks.