- Email: [email protected]
Internet war: picking on the finance sector – survey
NEWS Adware Editorial office: Elsevier Ltd PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843645 Fax: +44 (0)1865 853971 Editor: Sarah Hilley Editorial Advisors: Peter Stephenson,US; Silvano Ongetta, Italy; Paul Sanderson, UK; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA Bill J. Caelli, Australia Production/Design Controller: Colin Williams Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by: Mayfield Press (Oxford) LImited
2
Computer Fraud & Security
Internet war: picking on the finance sector – survey More vulnerabilities & phishing
A
ttacks on financial services companies have risen by 10% in the first half of this year according to a survey by Symantec.
Financial firms faced 14% of all targeted attacks in the first six months of 2006, compared to only 4% in the second half of last year. The Internet Security Threat Report attributed the rise in attacks against financial firms to the increasing mercenary objectives of cyber criminals.
Home is where it hurts most Most attacks (86%) still hit home computers, however. Although the number for 2006 is down as home users suffered 93% of all targeted attacks in the latter half of last year. The report revealed that more than 157,000 unique phishing messages were detected this year, which is an increase of 81% on the previous six months. The report said: “This sharp increase over the previous six-month period may be a result of attempts by attackers to bypass filtering technologies by creating multiple randomized messages.”
The report also warned of aggressive marketing applications such as adware. Symantec said eight of the top 10 reported security risks were adware programs. Another emerging threat is the misleading application, which dupes users into downloading supposed 'security' tools, which don't work. The report stated that three of the top 10 security risks are “misleading applications.” Other report findings: • The most prevalent new malicious code family this period was that of the Polip virus. • Spam made up 54% of all monitored email traffic, up from 50% in the last period. • The United States was the target of the most DoS attacks, accounting for 54% of the worldwide total. • China had the highest number of bot-infected computers during the first half of 2006, accounting for 20% of the worldwide total. • The United States had the highest percentage of bot command-andcontrol servers with 42%. • Beijing was the city with the most bot-infected computers in the world. • The United States ranked as the top country of attack origin, accounting for 37% of the worldwide total. Average patch development times — who is slowest?
In denial An average of more than 6000 denial-ofservice attacks were recorded per day during the study period with internet service providers being most frequently hit by them.
Slowest –
Sun operating system: 89 days
Mediocre –
Hewlett Packard:
Warming up – Apple: Speediest –
53 days 37 days
Microsoft & Red Hat: 13 days
Vulnerabilities Eighteen per cent more vulnerabilities were detected making it the highest number of flaws ever recorded for a six month period with a total of 2,249. Web application vulnerabilities accounted for 69% of all flaws during this time. Mozilla browsers harboured the highest number of security holes at 47, compared to 38 in Microsoft Internet Explorer.
US state CISOs lacking in security certificates
M
ore than half of state Chief Information Security Officers in the US do not have any IT security certifications, according to a government report produced for the first half of 2006.
October 2006
2
Computer Fraud & Security
Internet war: picking on the finance sector – survey More vulnerabilities & phishing
A
ttacks on financial services companies have risen by 10% in the first half of this year according to a survey by Symantec.
Financial firms faced 14% of all targeted attacks in the first six months of 2006, compared to only 4% in the second half of last year. The Internet Security Threat Report attributed the rise in attacks against financial firms to the increasing mercenary objectives of cyber criminals.
Home is where it hurts most Most attacks (86%) still hit home computers, however. Although the number for 2006 is down as home users suffered 93% of all targeted attacks in the latter half of last year. The report revealed that more than 157,000 unique phishing messages were detected this year, which is an increase of 81% on the previous six months. The report said: “This sharp increase over the previous six-month period may be a result of attempts by attackers to bypass filtering technologies by creating multiple randomized messages.”
The report also warned of aggressive marketing applications such as adware. Symantec said eight of the top 10 reported security risks were adware programs. Another emerging threat is the misleading application, which dupes users into downloading supposed 'security' tools, which don't work. The report stated that three of the top 10 security risks are “misleading applications.” Other report findings: • The most prevalent new malicious code family this period was that of the Polip virus. • Spam made up 54% of all monitored email traffic, up from 50% in the last period. • The United States was the target of the most DoS attacks, accounting for 54% of the worldwide total. • China had the highest number of bot-infected computers during the first half of 2006, accounting for 20% of the worldwide total. • The United States had the highest percentage of bot command-andcontrol servers with 42%. • Beijing was the city with the most bot-infected computers in the world. • The United States ranked as the top country of attack origin, accounting for 37% of the worldwide total. Average patch development times — who is slowest?
In denial An average of more than 6000 denial-ofservice attacks were recorded per day during the study period with internet service providers being most frequently hit by them.
Slowest –
Sun operating system: 89 days
Mediocre –
Hewlett Packard:
Warming up – Apple: Speediest –
53 days 37 days
Microsoft & Red Hat: 13 days
Vulnerabilities Eighteen per cent more vulnerabilities were detected making it the highest number of flaws ever recorded for a six month period with a total of 2,249. Web application vulnerabilities accounted for 69% of all flaws during this time. Mozilla browsers harboured the highest number of security holes at 47, compared to 38 in Microsoft Internet Explorer.
US state CISOs lacking in security certificates
M
ore than half of state Chief Information Security Officers in the US do not have any IT security certifications, according to a government report produced for the first half of 2006.
October 2006