Security Attacks Coming from Phones and Legitimate Sites

Recent published reports show that more hacker attacks are coming from legitimate sites as opposed to sites dedicated to attacking individual computers. In other news, security researchers have shown a bug in Skype Ltd.’s chat tool that allows it to be used to infect end user machines.

Focal Points:

• A recent publicly released report showed that more security attack code is now coming from legitimate domains that have been penetrated by hackers. Security company Websense, Inc. found 51 percent of malicious content came from unpatched machines at legitimate sites that had been infected. The remaining sites were determined to be specifically built to attack people who visited the sites. Specific examples of infected legitimate sites include the Web site for the Miami Dolphins and the Bank of India. Most Web sites are exploited because they do not have all the operating system and application patches applied.
• Recent news reports found that the furniture company Ikea had recently been exposed to a large security breach which allowed hackers to get full access to its email systems. This allowed criminals to use these servers for massive spam attacks. Patches have been placed on the systems, but some security experts suggest that large companies need to increase the frequency of reviewing and patching systems, in light of the increased frequency and aggressiveness of security exploits. Hackers are using these vulnerabilities to send additional Trojans and Rootkits that appear as messages coming from a trusted source. Experton Group suggests that adding behavioral analysis to security management systems will help identify this type of malicious behavior.
• Security researchers recently discovered a flaw in Skype’s chat tool that hackers are able to exploit. The vulnerability allows cross-zone scripting to occur. This creates a possibility for taking over the PCs that are using this application. The exploit can happen through downloading a corrupt video file, which then gets uploaded to a users' machine and infects it. Since ads are used in Skype, which can be downloaded from various sources, it is easy for hackers to inject malicious sites in place of legitimate ads. The latest version of Skype, v3.6.0.244, has this vulnerability. Officials from Skype say they have temporarily disabled users' ability to add videos until an official fix is available.

Experton Group believes security attacks will continue to increase in frequency and intensity, as hackers get in front of security personnel with multi-vector attacks and successfully penetrate and exploit legitimate Web sites. In order to minimize the threat posed by these new, more aggressive attacks, security personnel will need to depend more heavily on forensic and behavior analysis, to find potential problems before known zero-day exploits are published. Still, the majority of exploits rely on known vulnerabilities of operating systems and applications. IT executives should place a high priority on auditing systems and establish an aggressive timeline and process for finding and patching system vulnerabilities.