Your grandmother could run a botnet. Really? You probably thought hacking skills and technical know-how were needed to be botmaster. Nope – just $2500 US, an email address, and a desire to do some evil. Don’t worry – Nana’s (probably) not herding bots, but it’s not because she lacks the necessary skills.

This may explain why cyber crime losses almost doubled last year. The number of web-based botnets doubled in the second half of 2009 and web-based bodnets now outnumber the “old school” irc-based botnets. Really? Yeah, really.

You might want to hold off on Firefox 3.6 for a while. Really? There is a known vulnerability that will not be patched until March 30.

100% guaranteed malware detection? Really? That is the claim that Dr. Markus Jakobsson makes for his new technique. He is being taken seriously by some major companies, too. This is a nerdy read, but an interesting one.

Humans are still the weak link in security. Really? That’s not exactly big news, but it is worth repeating.

Lock down the security on that……copier? Really? Think about it – high end all-in-one office machines are copiers, scanners, and printers. They often have hard drives containing TONS of sensitive data and they are generally not on the radar screen when it comes to security. Permissions are often wide open. The next time you visit your SME clients, CHECK THE COPIER! If it has a hard drive, there is probably a lot of stuff on there that your client would like to keep private.

Takin’ names and kickin’ a** – Really?Publicizing the names of ISPs that allow their clients to do mischief is one way to get them to stop taking money from the bad guys – at least in places where people care about that sort of thing.

One more time – be careful where you put that payment card. Really? Here is another case of credit card fraud involving fake PIN pads that were planted in a chain of stores in the UK. Actually, the fake pads were visually identical to real ones, so no amount care would have saved you. Some are now arguing that credit cards are safer than debit cards, since the crooks cannot empty your bank account and credit card companies provide more protections against credit fraud than against debit fraud, especially if a PIN number was entered. This article explains further.

Dennis H in West Virginia, US

March 23, 2010

This will come as no big surprise to most of us, but the threat model for cybersecuriy has shifted considerably in the past couple years. Believe it or not, operating system security has gotten better. The number of vulnerabilities is down, and more people are getting automatic updates and keeping their operating systems patched. This is the good news. By far the most common threats exploiting Windows vulnerabilities are variants of the Conficker / Downadup virus, which exploits a hole patched almost a year ago. Unfortunately, there are still lots of un-patched systems left to infect. Amazingly, Sasser and Blaster, those worms of old from 2003 an 2004 are still infecting unpatched systems!

Now for the bad news – the attacks have shifted to applications and web vulnerabilities. Applications that are exposed to the web, such as browser plugins like flash, and applications that open files that are commonly downloaded from the web, such as Quicktime and Acrobat Reader, have been a common source of infection. Most users and organizations are less likely to keep these applications up to date because they do not understand the risks.

Worse yet – websites are positively under siege. Password guessing attacks have become more prevalent, as have web application attacks, such as SQL injection attacks, PHP include attacks, and cross-site scripting attacks. Recently, many users with unpatched browsers were infected by simply visiting major commercial websites that were displaying malicious banner ads.

The final, an most disturbing, piece of bad news – social engineering, phishing, and spear phishing attacks are on the rise and have become even more sophisticated.

What do we do to help protect ourselves and our clients? First, check for unpatched applications in addition to checking for OS patches. We have discussed Secunia PSI in past Security Corner articles, but I want to do another article on it soon – it is a great tool for finding unpatched applications running on systems. Second, educate, educate, and then educate some more. Remind clients at every opportunity that the weakest link is always the users. We don’t want to be fear mongers or make people paranoid, but everyone must be aware and vigilant. Finally, web facing services MUST use strong passwords – this is the best defense against brute-force password guessing attacks.

Over the next couple of months, the Nerds On Site Security Team will be rolling out a number of services and tools to help you in this battle, including external and internal vulnerability scanning, regular port scanning for routers and gateways, intrusion detection and prevention, security policy creation and review, endpoint security, full-scale penetration testing, and user-awareness training.

If you have an interest in the changing security landscape, take a few minutes to look over the latest report from SANS. it covers the period from September 2008 to August 2009.

Dennis H in West Virginia, US

October 3, 2009