bc blog

Australia faired relatively well during the financially-turbulent 2009. So, rather than send out Christmas cards, Brighton Consulting decided to help out someone less-advantaged and support the CUFA Village Entrepreneur Initiative.

The Village Entrepreneur Initiative is operated by Credit Union Foundation Australia (CUFA), and provides budding micro-entrepreneurs from less-developed countries with the opportunity to expand or start their own small business. From this basis, they can enhance their well-being and their family’s living standards.

Therefore, we’re very proud to be supporting Ernesto Pereira from East Timor. Ernesto hopes to establish a small business making and selling tradition handicrafts. While buying necessities such as food and medicine are highly important for Ernesto, it is the education for his younger brothers and sisters which has encouraged his business development.

CUFA has said that… “We will soon be conducting field support and funds distribution for supported Timor Leste Village Entrepreneurs mid-way through February… We look forward to providing you with updates on Ernesto’s progress towards financial independence and a more secure future.

Hopefully, in deciding to support Ernesto, we can, as CUFA says, “make an impact”.

We have just completed the redevelopment of the First Option Credit Union website.

This new website incorporates a fresh new design with product information that is easy to find and easy to understand.

Our aim was to make it simple for members to find information and interact with their Credit Union.

With their latest news section, comprehensive online forms/calculators and easy-to-access credit union information, First Option Credit Union is accessible to members 24 hours a day 7 days a week.

www.firstoptioncu.com.au

Website attacks are increasing while phishing emails are declining.

In its report New Web Threats in 2009, MessageLabs has identified this change:

“…from email based criminal activity such as malicious spam and virus infiltration to sophisticated online web-based attacks which deliberately prey on unsuspecting victims who are unfamiliar with the new wave of internet based threats.”

According to IBM’s X-Force 2009 Mid-Year Trend and Risk Report, phishing attacks declined significantly in the first half of 2009. At the same time online criminals are shifting to attacking websites instead.

"The decline in phishing and increases in other areas (such as banking Trojans) indicate the attackers may be moving their resources to other methods to obtain the gains that phishing once achieved.”

Avivah Litan, vice president and analyst at Gartner has been quoted, supporting IBM’s results.

“As a trend, cybercriminals are switching from [email] phishing to more ‘surreptitious’ malware attacks, she said. One reason for this shift is that email filtering mechanisms have been fairly successful at stopping the proliferation of phishing attacks. ‘We are hearing a lot more about malware and browser-based trojans than we are about phishing,’ Litan said.”

In its August report Spam evolution: January – June 2009 Kaspersky Lab has also documented a progressive decline in the proportion of phishing-related email spam.

According to Kaspersky Lab, phishing emails accounted for just over 0.2% of email traffic in June – a major reduction from January when they accounted for over 0.9%. Kaspersky Lab argues that as anti-phishing software is now more effective in protecting users against phishing, that cybercriminals are finding this tactic less attractive.

However, note: while the number of email-based phishing attacks may be declining, the overall volume of phishing activity may not be reducing. On 22 September, Cyveillance, a major cyber-security organisation, reported a significant increase in total phishing attacks over the previous three months when non-email channels are included. The company said that it is:

“…seeing a consistent increase in phishing attacks (176,864 over the past three months) with growth from areas outside traditional email spam; including social networking, voice and SMS texting.”

The US White House website is running on open source software.

The site at www.whitehouse.gov is running on a major open source CMS, Drupal. Drupal and Joomla! are two of the largest and most widely-supported open source content management systems available.

Both use a LAMP (Linuix, Apache, MySQL, PHP) server configuration.

Publication of the move by the White House to an open sources system is a major publicity boost for Drupal and open source software generally.

Information on the news highlighting some of the relevant security issues can be found here:

• http://news.cnet.com/8301-30685_3-10382893-264.html
• http://www.smh.com.au/technology/biz-tech/white-house-switches-to-open-source-20091026-hfdo.html

Today we launched the new Select Credit Union website: (www.selectcu.com.au).

An ebusiness client for four years, Select Credit Union’s new website project included an upgrade of its Content Management System, a redesign, a complete content restructure and the addition of several new features.

New centralised interest rate publication system

Select Credit Union operates in a very price-competitive market and was keen to ensure that visitors to the site could clearly compare interest rates. We used a ‘centralised content’ functionality to publicise interest rates in multiple places across the site whilst requiring editing in only one place.

The site is therefore efficient to maintain yet highly usable.

Criminals are penetrating websites more often, not only to directly steal data, but also because they can provide an ideal conduit for distributing malware (malicious software) and crimeware.

While traditional phishing strategies are still being used by online criminals, compromising a real website is an even better attack vector as the cyber criminal doesn’t have to dupe the user into unusual behaviour by masking invalid URLs or creating fraudulent web pages, etc.

This trend has been identified in a large number of recent studies:

The August ScanSafe analysis of SQL injections revealed that the attacks have been used to distribute a ‘trojan cocktail’ including a keystroke-logging trojan and a backdoor vulnerability that attempts to connect to a remote website.

IBM’s August X-Force 2009 Mid-Year Trend and Risk Report revealed a 508% increase in the number of new malicious web links in the first half of 2009. These malicious links were not limited to malicious domains or un-trusted websites. Instead, the malicious code was discovered on a large number of trusted sites such as search engines, blogs, bulletin boards, online magazines and mainstream news sites. For instance, in September the New York Times and Public Broadcasting Service websites were both subject to the serving of malicious advertisements.

The Websense report ‘State of Internet Security, Q1 – Q2, 2009’ identified similar trends:

• the number of malicious websites increased by 233% over the six months of the study and 671% over the previous year
• 77% of websites with malicious code were shown to be legitimate sites that had been compromised
• 61% of the ‘top 100 websites’ either hosted malicious content or contained a masked redirect to lure users from legitimate to malicious sites

The SANS report also highlighted the emerging trend of trusted websites becoming an unwitting distribution vector for distributing malicious code.

“These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits… Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.”

In a 9 September article called 7 Reasons Websites Are No Longer Safe , Bill Brenner identified the following seven critical issues for websites that the ordinary user may think are trustworthy:

1. polluted ads (advertisements containing malicious code served through the target website but drawn from another, compromised, file server)
2. SQL injections
3. user-provided content (eg. corrupted videos, malicious code-laden links, etc)
4. stolen site credentials (allowing hackers to upload malicious code to the web server)
5. compromised hosting service
6. local malware (which is activated only in specific circumstances, eg when visiting Internet Banking)
7. hacker-engineered fakes (phony security software, or scareware).

Just came across a comparison of the popularity of various security-related search terms. It’s not very scientific, but it’s amusing.

Earlier this year, the NTA Monitor’s Web Application Security Report 2009 analysed the results of 12 months of web application security testing. A large 27% of all online applications tested contained at least one high-risk vulnerability (an increase from 17% in the previous year).

Then in September the SANS Institute released its 2009 report on the top cyber security risks. This includes vulnerability data from 9,000,000 systems as well as additional analysis by the Internet Storm Center. The Institute found that (a) online attacks have substantially increased; and (b) 60% occur on web applications.

"Enterprises focus on attacks they can detect…[and] are expecting," says Johannes Ullrich, CTO of the SANS Internet Storm Center, who also contributed to the report. "But they are missing a lot."

During the same period, other security researchers have identified a dramatic increase in a particular type of attack on online applications and public websites: SQL injection.

SQL injection is a well-know attack vector that takes advantage of inconsistent security configuration in an application or web server to allow a hacker to conduct a database query and run code on the target system.

This code commonly enables the hacker to get access to the database’s confidential information and potentially gain root server access. They then have complete control of the target environment and all systems (including websites) that reside therein, and are then able to use this control to achieve their objectives.

Delivering a keynote security speech at July’s (ISC)² conference in London, IBM ISS technical manager James Rendell, claimed that there had been an ‘absolute explosion’ in SQL injections.

Then in August, Mary Landesman, a senior security researcher at ScanSafe announced that up to 130,000 websites had been compromised (at that stage) through a program of mass SQL injections. This included a host of reputable public websites.

Since August, a large number of security reports have highlighted the high number of vulnerabilities in websites and online applications as well as the growing incidence of attacks on public websites, principally using SQL injection.

These trends are very distrubing and highlight the heightened threat facing organisations that operate public-facing websites that support sensitive links/information.

An illuminating comparison between trends in the GFC and the Great Depression is progressively emerging on VoxEU.org, an economic policy portal set up by the Centre for Economic Policy Research to promote research-based policy analysis and commentary.

An evolving article by Barry Eichengreen and Kevin H. O’Rourke called ‘A Tale of Two Depressions‘ is tracking the progression of the current economic downturn across various indicators as compared to the downturn of the Great Depression.

Initial trends indicated that on many measures, the modern downturn was more sever than that of the Great Depression.

However recent shifts in a number of indicators point to the effect of co-ordinated fiscal and monetery policy across multiple economies. While trends are still indicative, they generally point to the potential for the current downturn to be less sever and shorter than that in 1929.

For instance, global industrial production is showing a modest upturn along with various other global and national indicators.

That said, the crash in the volume of global trade still remains dramatic, even by the standards of the Great Depression.

Following the recent phishing attack on Hotmail accounts, a security researcher at Acunetix has published an interesting analysis of the passwords themselves.

The password list presents an interesting insight into the password selection habits of Hotmail users (and by extension, the wider public).

Of the 10,028 passwords in the initial list, 9,843 remained after cleaning; 8,931 of them being unique.

Disturbingly, 2,036 (23%) of the passwords were six characters or less: a password length which, according to AusCERT, can be cracked in 2.5 hours or less. AusCERT recommends a password length of at least eight characters; a password length which will take up to a year to crack.

Even more disturbingly:

• 42% contained only lower-case alpha characters
• 19% contained only numeric characters

Good password selection is a prerequisite for good online security. Further guidance on password selection is provided here.