The most prevalent vulnerability by overall frequency identified by the report is cross-site scripting (XSS).

Most software used by large companies in critical business applications is insecure, according to a report released by a company that tests programs for security vulnerabilities.

In a report titled “State of Software Security,” the company, Veracode, of Burlington, Mass. disclosed that when it first tested some 1600 business critical applications, 58 percent of them failed to achieve an acceptable security score.

The worst culprits were programs developed by companies for internal use. Failure rates for those applications were as high as 88 percent, the report said.

“Extrapolating from the application sample set, more than half of the software deployed in enterprises today is potentially susceptible to an application layer attack similar to that used in the recent Heartland or Google security breaches,” it noted.

The most secure software submitted to Veracode for testing originated with the financial industry or government sector. More than half the applications from those industries passed muster on their first go-round with testers, which placed them at the top of the list of 15 industries represented in the study’s data set.

The report also plugged open source software as a viable solution for businesses. The failure rate for open source programs was on par with their commercial counterparts–39 percent for open source, 38 percent for commercial wares.

What’s more, the speed at which security vulnerabilities were addressed in open source programs was far better than their competitors–36 days for open source, 48 days for internal software and 82 days for commercial apps.

In addition, open source programs contained the fewest vulnerabilities that could potentially be converted into backdoors which could be exploited by crackers for havoc. “The relative absence of potential backdoors is apparent testimony to the positive effect of transparency in the Open Source community,” the report reasoned.

Continue reading 58% of critical apps insecure

A security advisory issued this week highlighted a serious code execution vulnerability in Mozilla Firefox 3.6. The vulnerability, according to the advisory, is caused by an “unspecified error,” and can be exploited to execute arbitrary code that could be malicious and harmful. The exploit was originally highlighted by Russian security firm Intevydis.

There has been very little reported on the vulnerability to date, with some even suggesting that it is a “hoax.” Don’t believe the hoax suggestion, no matter how big a fan of Firefox you may be—in the security business, things need to be taken seriously. Not doing so is inherently dangerous. That said, there is very little data on how widely circulated the exploit has become, although some sources report an increase in the number of Firefox 3.6 crashes on February 12 and 13.

On the Mozilla blog, Mozilla does not confirm the vulnerability at this point for lack of details on how to reproduce it, but does make a point of saying, “Mozilla takes all reports of security vulnerabilities seriously,” as well they, or any other software organization, should.

The advisory brings up an important issue, which is that even when using the latest version of software and the most recent patches, security is not always bulletproof. Applying patches as they are available, preferably on an automated basis, is always good practice, and it does go a long way towards reducing the incidence of preventable attacks. However, patch management alone isn’t going to keep your systems safe. In fact, in one forum where the vulnerability is being discussed, it is noted that the “Insecure” tab—which is a cool feature, by the way—only shows programs that have patchable exploits. The Firefox exploit has not yet been addressed with a patch from Mozilla, so it isn’t shown there as being insecure.

As such, it’s a classic zero-day exploit, which is a vulnerability that is able to do its dirty work between the time it is discovered and the time when it is patched. At this point, users of Firefox should proceed with caution, and as always with any browser, take standard precautions, avoid opening up unknown or suspicious URLs, use pop-up blockers, and monitor traffic accordingly.

The FTC is raising the red flag over data breaches caused by P2P software.

A growing problem with the inadvertent disclosure of sensitive information through peer-to-peer (P2P)networks was exposed this week by the U.S. Federal Trade Commission (FTC). In a letter sent to almost 100 organizations, the agency raised the red flag that sensitive customer and employee information from those entities was being shared on public P2P networks where anyone could see it. It warned the organizations that the data could be used by unscrupulous parties to steal identities or perpetrate fraud.

“Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk,” FTC Chairman Jon Leibowitz said in a statement.

“For example,” he continued, “we found health-related information, financial records, and drivers’ license and social security numbers–the kind of information that could lead to identity theft.”

“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure,” he added. “Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

The FTC’s letter went to both public and private organizations ranging in size from as small as eight employees to publically traded companies with 10,000 or more workers.

Although receipt of the letter doesn’t mean that an organization has broken any laws, the agency cautioned recipients, “It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers.” It added that failure to prevent sensitive information from being shared on a P2P network could violate federal law.

It went on to note that if customer and employee confidential information was exposed on a P2P network, an organization should consider notifying the affected parties. In some cases, it added, such notification is required by state or federal law. Continue reading P2P networks sharing sensitive data

With token architecture, tokens are substituted for sensitive information on the network.

Encryption has become increasingly important as a means of protecting sensitive information from poachers. As widely publicized data breaches have brought information security under closer scrutiny by governments and industry consumer protection agencies, encryption is no longer an option for many companies but a necessity.

While encryption offers a strong measure of protection for a company’s data, it also imposes additional burdens. For example, encrypted data takes up more space than unencrypted data. that means encrypted data bumps up the demands on a concern’s storage systems. In addition, broad use of encryption can, in some industries, increase the cost of compliance audits, as all systems using encryption must meet the standards of regulators both public and private.

One way to relieve the burden encryption places on organizations that’s gaining popularity is tokenization. Not only does this technology reduce the storage requirements created by encrypting data, but it improves security and curbs compliance costs. The fewer the places that sensitive data is stored in a system, the fewer the places subject to compliance audits.

Tokenization saves space by substituting tokens for encrypted information within a system. Typically when a piece of information is encrypted, it is returned to its original location–a record in a database, for example–in encrypted, or cybertext, form. With tokenization, after information is encrypted, it’s stored in a central location, typically a data vault, and a token representing that data is returned to the original location. That token, which takes up less space than its encrypted analog, can be used anywhere the original information would be used. So if the data is used in multiple locations, space is saved because encrypted forms of it need not be stored at those locations. What’s more, the encrypted data is stored at only one location making it easier to secure.

Continue reading Tokens offer more than token resistance to crackers

Average per-record cost of a data breach has increased from $138 per victim in 2005 to $204 in 2009.

The customer cost to companies who suffer data breaches increased slightly over the last year, as did the average cost per incident, according to a recent report.

Compared to 2008, when the average per victim cost for a data breach was $202, the cost last year was $204, it was reported in the fifth annual U.S. Cost of a Data Breach study conducted by the Ponemon Institute, of North Traverse City, Mich. and sponsored by the PGP Corporation, of Menlo Park, Calif.

Also increasing a tad was the average cost per incident, to $6.75 million from $6.65 million in 2008. Although the cost of each incident climbed, the actual number of incidents declined by 24 percent, to 498 from 657 in 2008.

Although the direct costs attributed to data breaches declined in 2008, they showed a significant increase in 2009, according to the study, which analyzed 45 cases in 15 industries including financial, retail, healthcare, services, education, technology, manufacturing, transportation, consumer, hotels, leisure, entertainment, marketing, pharmaceutical, communications, research, energy and defense. Cases involved as few as 5000 records to as many as 101,000 records.

Direct, or ex-post, costs atributed to breaches, the researchers found, jumped to $60 from $50 in 2008. “One of the main reasons for an increase in ex-post response costs is due to the increase in legal defense costs,” they maintained. “This can be attributed to increasing fears of successful class actions resulting from customer, consumer or employee data loss.”

Continue reading Data breeches increase, legal costs soar

20 percent of accounts could be compromised in 5000 attempts.

A recent study of some 32 million pilfered passwords has exposed some revealing lessons on how computer users choose their watchwords.

The analysis conducted by the iMperva Applications Defense Center discovered that 60 percent of users picked passwords from a limited set of alpha-numeric characters. What’s more, 50 percent of the watchwords were names, slang, dictionary words or trivial passwords, such as 123456 or “Password.”

What distinguishes this study from similar research in the past is that, rather than being based on user surveys, this analysis is based on a database of actual user passwords, which were stolen by a hacker and posted to the Internet as plain text.

“The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks,” the researchers wrote in their white paper.

“Ironically,” they added, “the problem has changed very little over the past 20 years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords.”

When scrutinizing the purloined passwords, the researchers used standards published by NASA for the creation of strong watchwords. Here’s how the words fared against those benchmarks.

NASA recommends that passwords be at least eight characters long. The researchers found that nearly half (49.4 percent) of the filched watchwords contained seven characters or less. What’s more, more than 30 percent of them were six characters or less. By comparison, more than 28 percent of the passwords in the mix were greater than eight characters in length.

Continue reading Survey identifies worst password practices

Zimuse leverages an IQ test to infect its victims.

An oddball hybrid malware program grabbed some electronic headlines this week. The bad app combines the activity of a worm with the infectious  properties of a virus. There appears to be two variants of it: Win32.Worm.Zimuse.A and Win32.Worm.Zimuse.B.

What makes the pernicious program queer is its destructive properties. These days, Black Hats tend to concentrate their efforts on programming schemes that have a cash payoff. When that’s your line of business, stealth, not havoc, is your modus operandi. Zimuse’s creators, through, don’t seem to care about monetary gain. Proliferation and mayhem appear to be their game.

Given the putative origin of the malware, it’s easy to understand why it departs from the malware mainstream. According to security experts, the black app was originally written to infect fans of a motorcycle club in the Liptov region of Slovakia. As can be the case with computer pranks, however, the malware started spreading wildly and soon began infecting corporate networks. Now badware watchers say the majority of the machines infected by the Zimuse variants are in the United States, followed by Slovakia, Thailand and Spain.

The malware is a two trick pony. First, it infects a machine and looks for ways to propagate itself. Then, after a defined number of days, it trashes its host’s Windows operating system and cripples it.

One way Zimuse distributes itself is by compromising legitimate Web sites. It’s planted as a self-unpacking zip file that contains an IQ test. When the IQ test installs itself on a machine, it also installs the malware. The IQ test is a legitimate application and serves to obfuscate what Zimuse is doing under the compromised computer’s hood.

Continue reading Hybrid malware spreading via USB devices

As often happens with electronics trends, the proliferation of a consumer device soon results in that gadget knocking on the door to the enterprise.  That’s the case with smartphones. The trend started with the Blackberry, was supercharged by the iPhone and will continue to grow with phones running Google’s Android operating system.

What’s worrisome about these devices is that they run applications… far too many applications that any IT department could vet for security purposes. Jupiter Research, purchased by Forrester research in 2008, estimates that by 2014, 20 billion apps will be downloaded annually to smartphones.

That is a nightmare in the making for network administrators, who see legions of unknown programs touching their enterprises. Such apps already exist for the iPhone to directly access enterprise programs like SAP and Oracle. And with more apps on the way, the potential for them to spread malware or facilitate unauthorized access to precious data is a sobering thought for gatekeepers.

One way to get a handle on mobile devices invading an enterprise is to impose tough policies on employee use of their mobiles when performing office tasks. Monitoring policy compliance manually, though, can be an overwelming task for overtaxed IT departments. There are automated systems for ensuring compliance, but they can be expensive to implement.

There are also some drawbacks to keeping a tight rein on smartphone use. By limiting an employee’s choices on how he or she must work, a policy could adversely impact the worker’s productivity. Then there’s the problem with exceptions to the rule. If someone higher up on the corporate food chain than an IT gatekeeper wants to use a particular application, whether it’s risky or not, an exception to its use will likely be made.

Continue reading Protecting the enterprise from mobile devices

A fix for a flaw in an important Internet security protocol is ready for prime time but it will be many months before the patch is fully implemented, according to technical experts.

The authentication vulnerability in TSL/SSL, which is the most common security code on the Net, could be exploited by hackers for all kinds of mischief. Built into browsers and Web servers to protect high-value information, the flaw impacts a wide scope of technologies including online banking, back-office systems using Web-based protocols, non-HTTP applications such as mail and database servers, mobile phones, wireless access points, DECT phones and home security systems.

The vulnerability was discovered last September by researchers at PhoneFactor, a security service provider in Overland Park, Kansas, but was kept under wraps until November when another security expert, working independently, made the flaw public on a mailing list sponsored by the Internet Engineering Task Force (IETF).

With the cat out of the bag, PhoneFactor decided to push out a press release on the subject. In it CTO Steve Dispensa, who, along with Marsh Ray, initially unearthed the flaw, stated,

“Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching. All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL.”

“The discovery of this vulnerability speaks to a larger issue with single channel authentication protocols,” he added. “While this vulnerability is larger in scope than many, man-in-the-middle attacks have been a known threat for some time. Out-of-band protocols should be considered when possible to help mitigate the risk of these attacks.””

Continue reading Net security hole could take year to fix

Is your business drowning in spam? Do you want an efficient and free way to stop spam from entering your inbox? ExchangeServerPro.com and GFI Software have teamed up to achieve a Spam Free 2010 by giving away two license packs of GFI MailEssentials™.

Two people have the chance of winning either the first prize which is a 50 user license pack or the runner up prize – a 25 user license pack.

For details on how to enter the competition check out Paul’s blog post. The deadline for the contest is 31 January 2010, Australian EST.