Web Security

Cybercriminals in the cloud

From Forbes (Charlotte Dunlap)
Security breaches continue to plague organizations, causing CIOs to question whether their traditional network security solutions are adequate for protecting against increasingly sophisticated cybercriminals.
Recently, it was reported that foreign hackers broke into the Pentagon’s $300 billion fighter plane weapons program, a security breach apparently achieved through contractors’ computers. The news is particularly disheartening to CIOs, because if the federal government–with all of its brain power and billions in funds–is still grappling with keeping its data secure, how can organizations and enterprises expect to avoid Internet threats and costly data breaches? Read the full story [forbes.com]

What’s the cost of fixing an application vulnerability?

From DarkReading (Kelly Jackson Higgins)
The cleanup cost for fixing a bug in a homegrown Web application ranges anywhere from $400 to $4,000 to repair, depending on the vulnerability and the way it’s fixed.
Security experts traditionally have been hesitant to calculate the actual cost associated with bug fixes because there are so many variables, including the severity of the vulnerability, differences in man-hour rates, and the makeup of the actual fix. Read the full story [darkreading.com]

SQL injection tactics revealed

SQL injection attacks have become the most reliable way for hackers to gain access to valuable data on back-end systems, with many high-profile Web sites falling victim to the technique over the last couple of years. The attacks themselves are fairly straightforward, but the results can be devastating, as this explanation of SQL injection from IBM ISS’s X-Force shows.

From ZDNet (Dancho Danchev)
A newly discovered email worm dubbed OSX/Tored-A once again puts the spotlight on the potential worm-ability, and malware spreading tactics targeting Apple’s OS X.
The worm propagates through emails harvested from infected hosts, and has a backdoor functionality allowing its author to perform the following actions if a successful remote connection is established – attempts to create a botnet, has keylogging functionality, and can also perform DDoS attacks as well as send spam. Read the full story [zdnet.com]

The automatic update is one of the more useful tools ever invented by software developers. Click a couple of buttons and you never have to worry about checking for new security updates again–it happens automagically! But it’s also one of the more frustrating and intrusive mechanisms we’ve seen in recent years, thanks to the tendency of vendors to abuse its power and smush in a bunch of extra applications and add-ons that users may have little use or desire for.

From CIO (C.G. Lynch)

As more workers spend a greater part of their days on social networks like Facebook and Twitter, hackers have turned their energies toward spreading their malware across those services, harming workstations and company networks.

That’s the contention of a recent report measuring Web 2.0-targeted hacks that occurred in the first quarter of this year and was conducted by the Secure Enterprise 2.0 Forum, an industry group aimed at enabling the safe use of social media in the workplace. Read the full story [cio.com]

After a two year absence, IBM X-Force is reporting [iss.net] a significant spike in image-based spam.   
“Since March 20th, we have been witnessing a rebirth of image-based spam.  At first, we saw a small trial of image-based spam, reaching 5-10%.  Then, in late April, we saw another blast (this time a much bigger effort) reaching 15-22% of all spam, according to researchers Ralf Iffert and Holly Stewart.

From The H Security
Updating browsers without first asking users is apparently the most successful way of ensuring wide distribution for the latest version – thus minimising the number of vulnerable browsers. A joint study [techzoom.net] by Google Switzerland and the ETH (Swiss Federal Institute of Technology) in Zurich concludes that, if an update requires too much user interaction or effort, users will either abort the process or fail even to run it. Read the full story [h-online.com]

Twitter co-founder Biz Stone says the company “takes security very seriously” but the details behind the micro-blogging site’s recent hack shows that Twitter is light years away from having the most basic security controls in place.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.