You are in: Articles / Security
 
 
Quick-List: Articles in Web Security Fresh Articles

How to Reduce Malware-Induced Security Breaches

Surge in malware marks start of year

Corporate data breach average cost hits $7.2 million

Beware the coming corporate smartphone threat warn experts

Security departments not prepared for new technologies

Low security awareness found across IT

10 tech trends to watch in 2011

Forrester: 2011 security strategy recommendations

Cybercriminals shifting focus from PCs to mobiles

Top 10 Tech Scares of the Decade

7 Scrooge-worthy scams for the holidays

Top Security Predictions for 2011

Report: Spam down, but malware continues hold

Keep Your E-Mail Private and Secure

Encryption adoption driven by PCI, fear of cyberattacks

A hazy view of cloud security

People feel safer on a PC than on a mobile device

AntiVirus and AntiSpam email scanning. The Axigen-Kaspersky solution

Report: 95 percent of all email is spam

6 tips for guarding against rogue sys admins

Mobile workers pose biggest security risk

Fear of data loss, social media security risks rising

A list of hottest IT security certifications

Vulnerability management: The basics

Most hacking victims blame themselves

Do not underestimate the bad guys

Five tips for avoiding self-inflicted email security breaches

Sophos booklet helpful in corporate security awareness

How secure are virtualized servers?

Malware reaches all time high

Security secrets the bad guys don't want you to know

The top 10 'most wanted' spam-spewing botnets

Securing 4G smartphones

IT professionals still not protecting mobile devices

3.7 billion phishing emails were sent in the last 12 months

Cloud security: The basics

What are the prospects for smartphone security threats?

Endpoint security: managing enterprise smartphone risk

Research: 1.3 million malicious ads viewed daily

Are you ready for these Internet security threats?

How to Integrate Data Loss Protection in Web 2.0 Security Strategies

Mac Users Do Not Spam, Linux Users Do

5 Best Practices for Enterprise Security

10 ways to make sure your data doesn't walk out the door

Mobile Device Security Woes

New cyber security threats

Tens of millions still opening junk e-mail

Top 6 Security Myths and How to Beat Them

What Are the Most Underrated Security Technologies?

Spam plague in February and more to come

Security tips for large and small businesses

Security of virtualization, cloud computing divides IT and security pros

America's 10 most wanted botnets

Spammers exploiting more news stories

Defining and designing email security

Spam traps catch 95% of email sent

10 email scams to watch out for

Spam Volume Doubles and Is More Likely to Be Malicious

Companies Struggle to Keep Data Safe

The 25 Most Common Mistakes in Email Security

The Real Issue Around Server Virtualization Security

Google: Spam, Virus Attacks to Get More Clever

Email Management For Dummies

How Does a Mail Server Respond to Fake Email Addresses?

How do your Blacklist Stats Compare?

Linux-Based E-mail Scanners

Mail injection through WebMail applications

Exchange 2007 SP1 is now available

Ten Firefox extensions to keep your browsing private and secure

Articles in Web Security Fresh Articles

How to Reduce Malware-Induced Security Breaches

(Steve Dispensa, eWeek) Malware has caused the industry to rethink its security best practices, introducing tools such as transaction verification to guard against real-time, man-in-the-middle attacks. Out-of-band authentication mechanisms are growing rapidly in popularity. While it is certain that malware will continue to evolve, Knowledge Center contributor Steve Dispensa offers four simple steps you can take to significantly reduce your malware-induced security breach exposure.

In a recent survey of IT professionals, over 32 percent felt that malware installed on PCs will pose the greatest external threat to IT security over the next 12 months. Over 16 percent indicated that malware on mobile devices presented the greatest threat. In total, malware running on PCs and mobile devices was ranked the top threat for 2010 by nearly 50 percent of respondents.

Fortunately, there are four concrete steps you can take to prevent malware threats in your organization:
  1. Step No. 1: Have a corporate anti-malware solution
  2. Step No. 2: Patch!
  3. Step No. 3: Deploy strong authentication
  4. Step No. 4: Use transaction verification
|
|
Rating: 12345
 

Surge in malware marks start of year

(Lance Whitney, CNET) The first three months of the year have so far witnessed a rise in malware and some notable cyberattacks, according to a report released today by Panda Security.

Tracking a big jump in malware (PDF), Panda Security has uncovered on average around 73,000 new types of threats being released every day. That's a 26 percent increase during this year's first quarter compared with the same period in 2010.



Among the various flavors of malware, Trojan horses have accounted for around 70 percent of all threats so far this year. That points to Trojans as a tool favored by cybercriminals who use them to grab bank account information and other personal data directly from their victims.
|
|
Rating: 12345
 

Corporate data breach average cost hits $7.2 million

(Ellen Messmer, Network World) The cost of a data breach went up to $7.2 million last year up from $6.8 million in 2009 with the average cost per compromised record in 2010 reaching $214, up 5% from 2009.

The Ponemon Institute's annual study of data loss costs this year looked at 51 organizations who agreed to discuss the impact of losing anywhere between 4,000 to 105,000 customer records. The private-sector firms participating in the Ponemon Institute's "2010 Annual Study: U.S. Cost of a Data Breach" hail from across various industries, including financial services, retail, pharmaceutical technology and transportation.

While "negligence" remains the main cause of a data breach (in 41% of cases), for the first time the explanation of "malicious or criminal attacks" (in 31% of cases) came in ahead of the third leading cause, "system failure."

It turns out "malicious or criminal attacks" are the most expensive type of data breach to discover and respond to, costing on average $318 per customer record, $151 more than non-malicious breaches that stem from negligence of system failure.
|
|
Rating: 12345
 

Beware the coming corporate smartphone threat warn experts

(Lia Timson, ITWire) Rogue smartphone applications coupled with social engineering will be the undoing of corporate IT infrastructures, network security experts have warned.

As more and more enterprises succumb to the temptation of allowing employee devices to be used for work purposes - either because of cost or pressure from senior management - the threat to their IT systems security is rising.

Speaking at the RSA Conference 2011 in San Francisco this week, Ed Amoroso, security supremo at AT&T also advised IT managers to skill-up and use 2011 to prepare themselves and their networks to deal with future threats.

While fake free versions of popular games such as Monkey Jump and Angry Bird are appearing outside the iTunes App Store tempting people to download suspect code onto their phones, unchecked Android apps were also making their way onto mobile handsets which workers carry onto corporate networks.
|
|
Rating: 12345
 

Security departments not prepared for new technologies

(Joan Goodchild, CSO) Rapid adoption of mobile technology, social media and cloud computing in the workplace is creating a security problem for IT departments worldwide as they struggle to keep pace with demands, according to a survey released this week by security certification firm (ISC)².

The 2011 (ISC)² Global Information Security Workforce Study (GISWS) finds an increasing pressure to provide even more services to organizations to protect not just the organization's systems and data, but also its reputation, its end-users, and its customers. But the professionals charged with doing this are not prepared, according to the study's authors, who note the results reveal a clear gap in skills needed to protect organizations in the near future.

"The information security profession could be on a dangerous course, where information security professionals are engulfed in their current job duties and responsibilities, leaving them ill-prepared for the major changes ahead, and potentially endangering the organizations they secure," a summary of the findings states.
|
|
Rating: 12345
 

Low security awareness found across IT

(Jaikumar Vijayan, ComputerWorld) A broad spectrum of IT people, including those close to security functions, appear to have little awareness of key security issues impacting their organizations, a new survey shows.

About 22% of respondents claimed to be extensively involved in security functions, 60% claimed a limited or supporting role, and the rest said they were not involved with security at all. About 100 respondents belonged to companies with more than 10,000 employees.

What the survey showed was a surprising lack of awareness of security issues among the respondents. For instance, just 4% admitted to being fully informed about security breaches within their organizations. About 80% of those who said their organizations had suffered a data breach in the past year were unable to tell which IT components might have been impacted by the breach.[...]

Thom VanHorn, vice president of global marketing at Application Security, said the survey reveals a disturbing lack of communication about key security issues among different groups within enterprises. "It really says there isn't enough focus on security or communication across groups despite the environment we live in," VanHorn said.
|
|
Rating: 12345
 

10 tech trends to watch in 2011

(Gil Kirkpatrick, TechRepublic) Based on the results of surveys conducted at The Experts Conference last year, analysts at Quest Software have put together this set of predictions for the upcoming year.

There is a lot of buzz right now over cloud services adoption, platform vendor battles, and shifting technology investment strategies, but, what  happens in 2011 - and what doesn’t - will be determined by actual practices within the IT community. In-the-trenches IT practitioners surveyed at Quest Software’s The Experts Conference 2010 have provided insights into technology trends that appear likely to emerge this year. Here is a look at the top 10.

1. Cloud computing adoption will accelerate, but half of all companies will avoid the cloud for at least five years;
2. There’s no go-to cloud platform provider, so the vendor wars will heat up this year;
3. Organizations that adopt cloud computing will create new organizational structures to support the initiatives;
[...]

Read more by following the "full article" link.
|
|
Rating: 12345
 

Forrester: 2011 security strategy recommendations

(Khalid Kark, NetworkWorld) Every New Year brings an opportunity to review existing security plans and adjust strategies for the next year. Most CISOs are struggling with the same issues, ranging from dealing with the changing threat landscape to properly supporting the rising adoption of social technologies, employee-owned mobile devices, and cloud services.

Given security leaders' pain points and focus areas for 2011, Forrester has identified recommendations for security strategies that address the broad security trends in the current market. Our recommendations fall into three major themes:
1. Better governance structures (prepare for social technology adoption, help the business devise a strategy to leverage cloud services, actively support mobility in the post-PC era);
2. More mature security processes (from reactive tools to proactive focus on integrating tools and processes, from identity management to information and access management, from ineffective incident planning to robust breach response);
3. Improved analytics and reporting capabilities (educate and equip risk owners with relevant information for decision-making, demonstrate the value of security with business and financial metrics, enhance operational measures through validation and correlation).
|
|
Rating: 12345
 

Cybercriminals shifting focus from PCs to mobiles

(Stuart Corner, ITWire) Cisco has released its annual security report saying it shows "a major cybercrime turning point" in that cybercriminals have begun shifting focus from Windows PCs to smartphones, tablets and mobile platforms in general.

The report says this shift in focus is the result of three factors: significant improvements in security in the Windows environment: weak security in mobile devices and the rapid proliferation of mobile devices. However the hugely popular practice of downloading apps, from legitimate app stores is giving cybercriminals a whole new avenue to penetrate target devices.

"Third-party mobile apps are emerging as a serious threat vector. And right now, that market is like the Wild West," warns Horacio Zambrano, product line manager for Cisco. "No one is looking at these apps and determining what is a 'good app' or a 'bad app'."
|
|
Rating: 12345
 

Top 10 Tech Scares of the Decade

(Sarah Jacobsson Purewal, PCWorld) The dawn of the new millennium prompted fears about the future, but so far reality has not quite matched the predictions of catastrophe. The first 10 years passed uneventfully - well, aside from Y2K and a bunch of intelligent computer viruses. Here's a look back at the past decade, and ten of the most terrifying tech scares.

The past ten years saw some terrifying technology:
1. Y2K (2000), predicted outcome: end of the world and technology as we know it, actual outcome: accidental alarms, slot machine failures, incorrect dates on Websites.
2. Conficker Worm (2008-2009), no predicted outcome, actual outcome: an estimated 10 million home/business/government computers under its control.
3. Mydoom (2004-2009), no predicted outcome, actual outcome: the fastest-spreading e-mail worm ever.
[...]

Read more by following the full article link.
|
|
Rating: 12345
 

7 Scrooge-worthy scams for the holidays

(Joan Goodchild, NetworkWorld) All crooks want for Christmas is to steal your money and sensitive information. Security experts give tips on avoiding scams.

The 2-week mark before Christmas is when things start to ramp up out of control. Spammers and malware authors focus on when the attention is going to be there. And you don't need to be shopping online to get caught in one of their traps. Even checking out email or spending time on Facebook and Twitter has its risks for the unaware. Here are seven holiday humbugs to avoid:
1. "Free iPad giveaway!"
2. Fake gift cards
3. Stripped gift cards
4. "You're preapproved for this credit card!"
5. Bad e-cards
6. Bad links to holiday sales, job offers, etc.
7. Fake charities

Read more by following the "full article" link.
|
|
Rating: 12345
 

Top Security Predictions for 2011

(Tony Bradley, PC World) It's time to look ahead to 2011 with some predictions for what the year holds in store for security.

Aside from the festivities of the holidays, one thing that always makes December special is the combination of reflecting on the year gone by, and looking ahead to what the next year might hold. Hence, it's a good time to have a look at what 2011 holds in store for security:
1. Precision Attacks - evolution of malware attacks is continuing;
2. Ripped from the Headlines - it will remain common for attackers to exploit breaking news as malware bait;
3. Beware the Web - consolidation of various messaging platforms into Web services will increase, making it an attractive target for hackers who want to break into the corporate network;
4. Low-Hanging Fruit - IT admins will still have to monitor and protect the primary platforms, but will also have to scramble to ensure that the various networks and applications those platforms are connected to don't leave a window open for attackers;
5. Mobile Computing - mobile devices will be a common target for theft.

What are your predictions for 2011?
|
|
Rating: 12345
 

Report: Spam down, but malware continues hold

(Lance Whitney, CNet) Spam may be down but malware marches merrily on. That's the message from the "November Threat Landscape Report" released yesterday by security vendor Fortinet.

Global spam levels ultimately fell 12% in November after Dutch authorities took down a large Bredolab network made up of 140 different servers. The Bredolab botnet was typically used by cybercriminals to send out spam selling fake drugs, according to Fortinet. Spam had actually fallen as much as 26% the week after the network was dismantled but was able to stage a bit of a recovery afterward.

In terms of sheer malware attacks among the top countries hit in November, the U.S. accounted for 35%, up from 32% in October. Japan took 22% of the total attacks, up from 16% the prior month. And Korea took the brunt of 12.5% of the world's total malware attacks, up from less than 9% in October.
|
|
Rating: 12345
 

Keep Your E-Mail Private and Secure

(Tony Bradley, PC World) E-mail is one of the most widely used forms of communication today. Estimates from May 2009 suggest that around 250 billion e-mails are sent every day. That equates to more than 2.8 million e-mail messages per second, and some of them are not even spam.

E-mail is faster and cheaper than traditional postal mail, but at least when you seal that envelope and stick a stamp on it, you can have some confidence that only the intended recipient will open it. With e-mail, however, your message could be intercepted midstream, and you might never realize it. Copies and remnants of your message stored on your PC could be compromised as well. You have to take steps to secure and protect your e-mail messages.

Follow the "full article" link to learn how to protect your e-mail.
|
|
Rating: 12345
 

Encryption adoption driven by PCI, fear of cyberattacks

(Ellen Messmer, NetworkWorld) A survey of more than 900 IT managers shows that adoption of encryption in their organizations is being driven by two main factors, anxiety about possible cyberattacks and the need to meet the payment-card industry (PCI) data security standards.

According to the Ponemon Institute's "2010 Annual Study: U.S. Enterprise Encryption Trends," 69% of the 964 IT managers responding to the survey said the need to meet regulatory compliance was the driving force behind deployment of encryption in their organizations. And the most important regulatory factor to them was the need to meet encryption requirements of the PCI data security standard.

Another important factor spurring organizations to adopt encryption is fear related to cyberattacks. Some 88% of organizations in the survey acknowledged at least one data breach, up three points from 2009. "And of those, "23% had only one breach and 40% had two to five breaches." These numbers were consistent with last year's results, but those experiencing more than five data breaches a year was up 3% from 2009.
|
|
Rating: 12345
 

A hazy view of cloud security

(Dave Kearns, Network World) More than three-quarters of the respondents in a recent survey couldn't say who they believe should be responsible for data housed in a cloud environment.

A recent survey of 384 business managers from large enterprises revealed that confusion abounds about cloud data security. More than three-quarters of the respondents couldn't say who they believe should be responsible for data housed in a cloud environment, while 65.4% said that the company from which the data originates, the application provider and the cloud service provider are all responsible, and another 13% said they were not sure. There was no consensus on who the single party should be that protects that data.

Click on the "full article" link to further read their findings.
|
|
Rating: 12345
 

People feel safer on a PC than on a mobile device

(Lance Whitney, CNet) A majority 87% of people polled for a new study think their home PCs offer better defense against viruses, malware, and hackers than do their mobile phones. Released today by the National Cyber Security Alliance and Symantec, the study also discovered that people may be overconfident in the power of their computers to protect them as less than half are using full security software.

Though only 24% of those polled said they feel very safe using their home computers to surf the Net, 61% said they feel somewhat safe. In contrast, just 18% said they feel very safe using their mobile phones to access the Web, while only 28% feel somewhat safe.

Only 5.1% of those surveyed think the Internet is safer than it was a year ago, while 68% feel it's about the same, and 21.2% believe it's less safe. Half of those polled cited identify theft as a major concern. Overall, 44% of the respondents see themselves as responsible for their own online safety. Only 30% believe keeping the Internet secure is the responsibility of Internet providers, while just 4% feel it's the government's job.
|
|
Rating: 12345
 

AntiVirus and AntiSpam email scanning. The Axigen-Kaspersky solution

The present document offers a comprehensive analysis of the ways to secure corporate email systems. It provides an expert opinion on the available approaches, architectures and deployment options for implementing security applications in the email infrastructure, while keeping a special focus on the benefits of using the integrated Axigen-Kaspersky solution.
|
|
Rating: 12345
 

Report: 95 percent of all email is spam

(Lance Whitney, CNet) Spam accounted for 95% of all email sent worldwide during the third quarter, according to a report released today.

Panda Security's third-quarter report also found that 50% of all spam came from 10 countries, with India, Brazil, and Russia as the top three sources. The U.S. came in No. 8, while the U.K. dropped off the list. Much of the spam that invades in-boxes comes from botnets that hijack computers whose owners don't realize their PCs have been infected, the report noted.

Trojans now are responsible for 55% of all malware threats, with many of them designed to steal information in order to access financial accounts. These types of threats have generally grown over the past two years, according to Panda, because their creators know they can get the greatest return on investment.

|
|
Rating: 12345
 

6 tips for guarding against rogue sys admins

(Carolyn Duffy Marsan, NetworkWorld) One of the biggest threats that organizations face is losing sensitive data - such as payment card or personally identifiable information about customers or employees - to theft from their own employees. The threat is greatest from systems and network administrators, who have privileged access to vast amounts of corporate data and are responsible for most compromised records in insider cases.

Heather Wyson, vice president of the fraud program at the BITS Financial Services Roundtable, says there has been an increase in insider incidents among U.S. financial services firms.

We spoke with CISOs and IT security experts about what practical steps IT departments can take to minimize the insider threat. Here's their advice:
1. Restrict and monitor users with special privileges
2. Keep user access and privileges current, particularly during times of job changes or layoffs
3. Monitor employees found guilty of minor online misconduct
4. Use software to analyze your log files and alert you when anomalies occur
5. Consider deploying data-loss prevention technology
6. Educate your employees about the insider threat
|
|
Rating: 12345
 

Mobile workers pose biggest security risk

(John E Dunn, TechWorld) Mobile workers trigger more security alerts when they leave the office than when they do at their desks, the latest Symantec MessageLabs Intelligence Report has suggested. According to the company, the explanation for this disparity is simple: mobile workers visit riskier websites when traveling than they do in the more locked-down office environment.

After analyzing users on the company's hosted email service, remote workers were 5.4 times more likely to trigger download alerts than their office equivalents, a pattern that followed for visits to shopping sites, search engines, and dating sites. Mobile workers also generated 1,807 blocks based on infringing policies compared to only 322 for office workers.

"In general, more policy blocks overall are triggered by workers when they are out of the office, indicating rather intuitively that users are more compliant with usage policies when in the office," said MessageLabs' analyst, Paul Wood.
|
|
Rating: 12345
 

Fear of data loss, social media security risks rising

(Joan Goodchild, NetworkWorld) A new survey finds more organizations are dealing with data loss and security breaches due to employee use of social media sites. Email security firm Proofpoint polled 261 IT decision makers at organizations with more than 1000 employees. Respondents were asked about the frequency of data loss events in the past 12 months, as well as their concerns, priorities and policies related to email, the Web, social media and other sources of data loss risk.

The survey found 20% of companies polled had investigated the exposure of confidential, sensitive or private information via a post to a social networking site. In many instances, the events have been severe enough to lead to job loss or disciplinary action, with 7% of companies reporting termination of an employee for social networking policy violations. Another 20% disciplined an employee for not following social networking policy.

Social networking sites such as Facebook and LinkedIn were cited by 53% of respondents as a high concern when it comes to the risk of information leakage. However, not all companies are concerned enough to make the sites off limits. Only 53% explicitly prohibit the use of Facebook and 31% explicitly prohibit use of LinkedIn. Microblogging service Twitter was mentioned by 17% of companies as a source of investigation due to the exposure of confidential, sensitive or private information. Additionally, 51% said they are highly concerned about the risk of information leakage on Twitter.
|
|
Rating: 12345
 

A list of hottest IT security certifications

(Carolyn Duffy Marsan, NetworkWorld) Interest in IT security certifications is booming, as more U.S. companies tighten up the protection surrounding their critical network infrastructure and as a growing number of employees view security expertise as recession proof.

Three of the top 10 IT certifications in terms of demand among U.S. employers are security related, according to Foote Partners, a consultancy that tracks IT employment trends. These include the Red Hat Certified Security Specialist – which ranks as No.2 on the Foote Partners list – as well as the CompTIA Security+ (No.3) and the GIAC Security Essentials Certificate (No.6).

Worries about security breaches are prompting companies to get more IT employees trained and certified in information security, says David Foote, CEO of Foote Partners. "Employees are looking at security certifications as career safety," he adds. "Security is a great long-term career move because there's a steady drumbeat of regulations and compliance."

Read more by following the "full article" link.
|
|
Rating: 12345
 

Vulnerability management: The basics

(Bill Brenner, NetworkWorld) The more apps companies deploy, the more complicated vulnerability management becomes. In the rush to find every security hole and seal it off from potential hackers, it's easy to let something important slip through. That's especially true if you're an IT administrator juggling several tasks of which security is one.

To get anywhere with vulnerability management, Northcutt said there are five things to consider first:
1.Vulnerabilities are the gateways through which threats are manifested.
2.Vulnerability scans without remediation have little value.
3.A little scanning and remediation is better than a lot of scanning and less remediation.
4.Vulnerabilities in need of fixing must be prioritized based on which ones post the most immediate risk to the network.
5.Security practitioners need a process that will allow them to stay on the trail of vulnerabilities so the fixes can be more frequent and effective.

If a data breach happens and it's traced back to a flaw the company knew about but didn't fix, the consequences can be serious. "This could be factored into the punitive damages phase of a court case," Northcutt said.

Next, Northcutt said it's important to identify the primary threat vectors an organization must worry about. They are:
- Outsider attack from network
- Insider attack from network (VPN)
- Outsider attack from telephone
- Insider attack from local network
- Insider attack from local system
- Attack from malware

Read more by following the "full article" link.
|
|
Rating: 12345
 

Most hacking victims blame themselves

(Robert McMillan, ComputerWorld) Just under two-thirds of all Internet users have been hit by some sort of cybercrime, and while most of them are angry about it, a surprisingly large percentage feel guilt too, according to a survey commissioned by Symantec.

In a cybercrime survey of just over 7,000 Internet users in 14 countries, researchers found that 65% of Internet users worldwide have already been victims. In the U.S., it's 73%, but things are worse in China (83%), Brazil (76%) and India (also 76%).

Another surprise: how victims react to being hacked. People do fee angry, but also feel pretty guilty: 54% said they should have been more careful, when they responded to online scams. When it came to identity theft victims, 12% said that the incident was entirely their fault, Symantec found.
|
|
Rating: 12345
 

Do not underestimate the bad guys

(Mike Bantick, ITWire) Security firm Sophos has recently produced its 2010 mid-year Security Threat Report, and whilst many things remain the same, there are plenty of new security vectors for the connected among us to deal with.

If there is one thing that is clear from the latest Sophos mid-year security threat report, it is that traditional attacks on private data are still prevalent.  Perhaps the vectors are shifting but figures show Spam, Phishing and Malware are still a major source of worry for security personnel world-wide.

The Security Threat Report shows that the traditional security attacks are migrating to social networks such as Facebook and Twitter.  Since April 2009, moving into 2010 reported Spam attacks reported from social networks increased from 33.4% to 57%, Phishing from 21% to 30% and Malware from 21.2% to 36%.  It is clear that criminal activity is moving into the online worlds increasingly populated by everyday Internet users.
|
|
Rating: 12345
 

Five tips for avoiding self-inflicted email security breaches

(Chad Perrin, TechRepublic) Email security is about a lot more than just using a good password on your POP or IMAP server. Perhaps the most important part of email security is ensuring you don’t shoot yourself in the foot.

These tips focus on the ways users break their own security rather than on protecting against the predations of malicious security crackers. Security can be violated through careless acts more easily than by outside forces.
1. Turn off automated addressing features
2. Use BCC when sending to multiple recipients
3. Save emails only in a safe place
4. Use private accounts for private emails
5. Double-check the recipient, every time — especially on mailing lists
|
|
Rating: 12345
 

Sophos booklet helpful in corporate security awareness

(M.E.Kabay, NetworkWorld) The recently-released free Sophos booklet, "10 myths of safe web browsing", is a simple, short summary of some basic Web safety information that can serve our purposes in raising security consciousness and involvement.

Each of the following myths is discussed in a short paragraph:
- Myth No.1: The Web is safe because I've never been infected by malware
- Myth No.2: My users aren't wasting time surfing inappropriate content
- Myth No.3: We control Web usage and our users can't get around our policy
[...]
This booklet would make a perfect subject for a brown-bag lunchtime discussion among the IT staff; it could be used as the basis for a user-education session to spark discussion of the issues.

Read more by following the full article link.
|
|
Rating: 12345
 

How secure are virtualized servers?

(David Heath, ITWire) You'd think that a virtualized environment would be a safe way to encapsulate a server, but that appears to be far from the truth. Earlier this year, Gartner released its own research  into the security of virtualized environments.  The results weren't pretty.  Gartner estimated that by 2012, 60% of virtual servers will be less secure that the physical servers they replace, although this is expected to drop to 30% by the end of 2015.

The Gartner report identified six major categories of risk:
- Information security isn't initially involved in the virtualization projects
- A compromise of the virtualization layer could result in the compromise of all hosted workloads
- The lack of visibility and controls on internal virtual networks created for VM-to-VM communications blinds existing security policy enforcement mechanisms
- Workloads of different trust levels are consolidated onto a single physical server without sufficient separation
- Adequate controls on administrative access to the hypervisor/VMM layer and to administrative tools are lacking
- There is a potential loss of separation of duties for network and security controls

"Virtualization is not inherently insecure," said Neil MacDonald, vice president and Gartner fellow. "However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants."  However, according to a BeyondTrust spokesman, "that hasn't stopped 90% of virtualized data centers from putting their most sensitive data on virtualized servers."
|
|
Rating: 12345
 

Malware reaches all time high

(Tom Brewster, ITPro) Malware levels have reached new heights as the first six months of 2010 proved to be the most active for malicious file activity on record, McAfee has reported.

There were 10 million new pieces of malware logged in the first six months of this year, while 6 million were discovered in the second quarter alone.

Threats were most likely to emanate from portable storage devices like USBs, while fake anti-virus software was the second most popular choice among malicious file spreaders. Social media-specific malware was the third most common basis for attacks.
|
|
Rating: 12345
 

Security secrets the bad guys don't want you to know

(Robert McMillan, ComputerWorld) You know to keep your antivirus program and patches up to date, to be careful where you go on the Internet, and to exercise online street-smarts to resist being tricked into visiting a phishing site or downloading a Trojan horse. But when you've got the basics covered, but you still don't feel secure, what can you do?

Here are a few advanced security tips to help you thwart some of today's most common attacks:
1. Avoid scripting - This may be the one piece of advice that will do most to keep you the safe on the Web: steer clear of JavaScript, especially on sites you don't trust.
2. Back out of rogue antivirus offers - Rogue antivirus programs have emerged as one of the most annoying security problems of the past few years.
3. Sharpen your password game - People have to remember too many passwords on the Internet. Everyone knows this, but most of us get around the problem by using the same username and password over and over.Hackers know this as well, and they're happy to use it against you.

Read more by following the "full article" link.
|
|
Rating: 12345
 

The top 10 'most wanted' spam-spewing botnets

(Ellen Messmer, Network World) Spam continues to grow largely due to the growth in malicious botnets. Many botnets are command-and-control systems used by criminals and are still the main way that spam is spewed into your e-mail box. A recent report states that the worldwide spam volume has now climbed to 230 billion messages per day, up from 200 billion at the start of 2010.

M86 Security has created the "Top Ten Most Wanted" Spam-Spewing Botnets list, many of them are believed to be controlled in Eastern Europe by criminals who manipulate compromised systems, mostly PCs, around the world to generate spam:
1. Rustock (generating 43% of all spam)
2. Mega-D (10.2%)
3. Festi (8%)
4. Pushdo (6.3%)
5. Grum (6.3%)
6. Lethic (4.5%)
7. Bobax (4.3%)
8. Bagle (3.5%)
9. Maazben (2.0%)
10. Donbot (1.3%)

Read more by following the "full article" link.
|
|
Rating: 12345
 

Securing 4G smartphones

(Brad Reed, NetworkWorld) Like all good things, the increase in speed and power comes with greater risks: added data capacity, connection speeds makes 4G smartphones more vulnerable. This article describes what any smart IT department should know before allowing a 4G device onto its network.

The increased mobile data usage is only expected to intensify in the enterprise as more executives could try to use their favorite devices for both work and personal use. Mike Siegel, a senior director of product management at McAfee, says this will put a particular strain on IT departments' abilities to protect data across multiple operating systems and applications. "We have senior executives now who are pushing on IT to support Android or iPhone," he says. "With iPhone and Android, you have a propagation of applications that have connections back to sensitive corporate data in the cloud. So these devices now are very much a data leakage vulnerability."

What is to be done? Read more by clicking the "full article" link.
|
|
Rating: 12345
 

IT professionals still not protecting mobile devices

(Hannah Douglas, ITPro) In a time of threats to corporate data and costly breaches, companies aren’t doing enough to protect sensitive information, according to research.

According to a newly released report, sponsored by a data protection and management group, 52% of the nearly 300 IT security professionals surveyed do not encrypt the data on USB drives they use to carry company data.

The type of unprotected data reported by respondents was not insignificant, with 67% intellectual property, 40% customer data and 26%  employee details. Incidents of lost or stolen devices were also mentioned in the study, which said that 11% of the sample had experienced a breach recently.
|
|
Rating: 12345
 

3.7 billion phishing emails were sent in the last 12 months

(Carrie-Ann Skinner, NetworkWorld) Cybercriminals sent 3.7 billion phishing emails over the last year, in a bid to steal money from unsuspecting web users, says CPP. 25% of Brits have been victims of scams, losing on average £285.

A new research revealed that 55% of phishing scams are fake bank emails, which try and dupe web users into giving hackers their credit card number and online banking passwords. Hoax lottery and competition prize draws and 'Nigerian 419' scams that involve email requests for money from supposedly rich individuals in countries such as Nigeria, were also among the most popular phishing emails.

CPP also revealed social networking scams are on the rise. Nearly one fifth of Brits have received phoney Facebook  messages claiming to be from friends or family in the past year. One in 10 fear that fraudsters are using Twitter to follow them, while a third are concerned their social networking account could be hacked.

"It seems that not a day goes by without a new case of online fraud hitting the headlines. But what's concerning is that consumers are still falling victim," said Nicole Sanders, an identity fraud expert at CPP.
|
|
Rating: 12345
 

Cloud security: The basics

(Mary Brandel, NetworkWorld) Cloud computing is one of the most-discussed topics among IT professionals today. And not too long into any conversation about the most highly touted cloud models - software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS) - the talk often turns to cloud security.

According to Milind Govekar, an analyst at Gartner, cloud has rocketed up the list from number 16 to number two in Gartner's annual CIO survey of key technology investments. "Like with anything new, the primary concern is security," he says. In fact, the vast majority of clients who inquire about cloud, he says, would rather create a virtualized data center on their own premises - what some call a private cloud - because they're uncomfortable with the security issues raised by cloud computing and the industry's ability to address them.

"We are in the early stages of a fascinating journey into a new computing model that, for all its purported advantages, from a security and risk point of view, is a difficult thing to deal with," agrees Jay Heiser, an analyst at Gartner.[...] For this reason securing cloud computing environments will be a major focus of vendor efforts over the next year, says Jonathan Penn, an analyst at Forrester Research. In the short term, he sees users having to do a lot of the legwork, but over time, "cloud providers themselves will see the opportunity to differentiate themselves by integrating security," he says.
|
|
Rating: 12345
 

What are the prospects for smartphone security threats?

(Chad Perrin, TechRepublic) Smartphones are becoming ubiquitous, but they are still limited in their usefulness. This is actually a boon for their security, at least for now — because they have not been effectively secured well enough to replace a desktop or laptop computer for a lot of high-risk activities.

With the growing popularity of smartphones, people are beginning to speculate about whether there will be an explosion of security issues in the near future. When will the storm of viruses appear? When will smartphones — relatively low-power by the standards of personal computers, but online pretty much all the time — become a platform of choice for botnet nodes?

Some security experts are skeptical of the idea that smartphones will ever be much of a target for malicious security crackers to build botnets, or otherwise hijacking resources. Maybe the botnet threat will never materialize for the smartphone platform, because it is so limited compared to the general-purpose desktop and laptop computer. On the other hand, even if malicious security crackers are not directly targeting our smartphones yet, the ability to transfer files between a smartphone and a more general-purpose computer means that a smartphone can become an important vector for spreading viruses and other mobile malicious code.[...]
|
|
Rating: 12345
 

Endpoint security: managing enterprise smartphone risk

(Tim Lohman, Computerworld) Almost by the day, enterprises are becoming more receptive to the consumerisation of IT and introduction of mobile devices and platforms into their environment. But introducing smartphones, netbooks or newer technologies such as the iPad and e-readers, can pose security issues to an organisation - and to any customer or business included in the data held on the devices.

Threats such as Trojans and drive-by-downloads which attack and exploit unpatched vulnerabilities in software installed on an endpoint, rogue security applications, spyware, botnets, worms, viruses and phishing attempts are all threats that apply as much, if not more-so, to consumer devices as office-bound PCs. And once commercial data makes its way onto an employee's device, which is often unmanaged, the enterprise can no longer control its spread or usage. [...]

IT managers must also bear in mind that while employee devices perform a dual role - as a personal device and a company device - the protection of any organisational data held on the devices is totally up to the company, says senior marketing manager for Websense, David Brophy.[...]
|
|
Rating: 12345
 

Research: 1.3 million malicious ads viewed daily

(Dancho Danchev, ZDNet) New research indicates that 1.3 million malicious ads are viewed per day, with 59% of them representing drive-by downloads, followed by 41% of fake security software also known as scareware.

More findings from the Dasient research:
- The probability of a user getting infected from a malvertisement is twice as likely on a weekend and the average lifetime of a malvertisement is 7.3 days.
- 97% of Fortune 500 web sites are at a high risk of getting infected with malware due to external partners (such as javascript widget providers, ad networks, and/or packaged software providers).
- Fortune 500 web sites have such a high risk because 69% of them use external Javascript to render portions of their sites and 64% of them are running outdated web applications.

The research’s findings are also backed up by another recently released report by Google’s Security Team, stating that fake AV is accounting for 50% of all malware delivered via ads.
|
|
Rating: 12345
 

Are you ready for these Internet security threats?

(Linda Musthaler & Brian Musthaler, NetworkWorld) Symantec has published its annual in-depth threat report and recommendations on how to improve enterprise security.

Based on multiple sources, the report presents an in-depth view of what threats exist on the Internet today, and what the trends are over a span of years. For example:
  1. There continue to be many targeted attacks on enterprise organizations.
  2. Web-based attacks are still common, and they are the primary means to install malicious code on computers.
  3. More than 240 million distinct new malicious programs.
  4. Executable file sharing has become the primary means of transmission of infections, especially for viruses and worms.
  5. Botnets are responsible for distributing 85% of spam.[...]
|
|
Rating: 12345
 

How to Integrate Data Loss Protection in Web 2.0 Security Strategies

(Bob Hinden, eWeek) Businesses in all types of industries today are investing in data loss protection technology at increasingly higher rates because of the increase in corporate insider threats. As more employees utilize Web applications for real-time communications, data leak prevention has become even more complex.

The ease of sharing information, combined with real-time communications, makes many of these social networking tools very compelling. And such trends are expected to continue, with enterprise spending on Web 2.0 technologies projected to reach $4.6B globally by 2013. Businesses can't ignore the opportunity to increase productivity by leveraging these new tools.

But the Web 2.0 world has made security more complex, and organizations are looking for a comprehensive approach to security that reduces—not multiplies—the number of threats, as well as eases management and regulatory challenges faced by IT managers.[...] An effective Web 2.0 security strategy will complement network protection with comprehensive endpoint security, and allow organizations to easily integrate new security services on existing infrastructure without exhausting limited IT budgets.[...]
|
|
Rating: 12345
 

Mac Users Do Not Spam, Linux Users Do

(Wolfgang Gruener, ConceivablyTech) MessageLabs has released a new issue of its monthly intelligence report, which reveals interesting statistics of spam originating from client computers that are infected by botnets. Not surprisingly, most spam comes from Windows users, but Linux systems are five times more likely to be sending spam than Windows. And: There is virtually no spam that is sent from Apple Mac computers.

Spam still accounts for nine out of ten emails (89.9%) sent, one in 341 emails contains malware and one in 455 emails carries a phishing attack. Spam is dominated by botnets that infect client computers around the globe and use their connectivity to send out emails.[...]The entire spam volume caused by all botnets currently monitored is about 121 billion messages per day from up to 5.6 million computers. Non-botnet spam is only 7 billion messages per day, bringing the total spam volume to just above 128 billion messages per day.

If we look at the PCs that are controlled by the botnets and that are sending the spam, and break them down by operating system, MessageLabs’ data shows, not surprisingly, that 92.65% of all spam came from Windows machines, 0.001% from Mac OS X systems and 5.14% from Linux computers in March 2010.
|
|
Rating: 12345
 

5 Best Practices for Enterprise Security

(Jamey Heary, PCWorld) With today's limited security budgets you need to be sure that you've adequately covered your highest risk areas before moving on to other things. Take a look at the top 5 security solutions you can put in place today to cover the widest scope of current and emerging threats.

These 5 items working together will stop more cyber attacks on your data, network and users than any other 5 items in the marketplace today. There are lots of other very useful security solutions on the market but when it comes to picking the top five most effective and readily available ones, here are the choices:
  1. Firewall - without firewalls in place to drop unwanted flows, your job of protecting your assets increases exponentially;
  2. Secure Router - routers are chock full of security features, sometimes even more so than a modern firewall;
  3. Wireless WPA2 - if you aren't using WPA2 wireless security then stop what you are doing and form a plan to start doing so;
  4. Email Security - a good email security solution will get rid of the junk and filter out the malicious stuff as well;
  5. Web Security - web security needs more than just URL filtering.
Read the detailed description of these 5 items by following the "full article" link.
|
|
Rating: 12345
 

10 ways to make sure your data doesn't walk out the door

(Debra Littlejohn Shinder, TechRepublic) Many organizations focus on protecting against external attacks but ignore a threat that might be even more destructive: data theft by someone inside the company. Here’s an up-to-date look at critical areas of concern.

Hacker attacks that bring down the network get a lot of attention, so companies concern themselves with protecting against those threats. In this article, we’ll take a look at what you should be doing to keep your data from walking out the door.
  1. Practice the principle of least privilege and put policies in writing
  2. Set restrictive permissions and audit access
  3. Use encryption
  4. Implement rights management
  5. Restrict use of removable media
  6. Keep laptops under control
  7. Set up outbound content rules
  8. Control wireless communications
  9. Control remote access
  10. Beware of creative data theft methods
Read more by following the "full article" link.
|
|
Rating: 12345
 

Mobile Device Security Woes

(Jon Oltsik, NetworkWorld) Large organizations now realize that endpoint security (and management) extends beyond PCs to mobile devices like Blackberrys, Droids, iPhones, iPads. Mobile device security is one of those areas that should get more attention. Users want better data security and integrated solutions.

So which security technologies are most important for mobile device protection? According to a recent ESG Research survey, here are the top 5:
  1. Device encryption (51% of respondents rated this as "very important", 34% rated this as "important")
  2. Device firewall (48% of respondents rated this as "very important", 37% rated this as "important")
  3. Strong authentication (46% of respondents rated this as "very important", 41% rated this as "important")
  4. Antivirus/Anti-spam (45% of respondents rated this as "very important", 37% rated this as "important")
  5. Device locking (44% of respondents rated this as "very important", 41% rated this as "important")
|
|
Rating: 12345
 

New cyber security threats

(Veronica C. Silva, MIS Asia, NetworkWorld) A new report on consumer online behaviour and criminal activities on the Internet noted that new security threats have recently emerged, prompting the implementation of a mix of security solutions to protect unsuspecting victims.

Blue Coat's annual 'Blue Coat Web Security Report for 2009' released recently noted that security solutions are finding it difficult to keep up with the rapid attacks by cyber criminals. The popularity of social networking activities online is also making the Internet more vulnerable to recent attacks. The report noted that social networking sites accounted for 25% of activity among the top 10 URL categories last year. Web-based e-mail, on the other hand, dropped in popularity from fifth place in 2008 to ninth in 2009.

"The battlefield for information security against identity theft and cyber crime is the Web. The Web, and especially social media, is where the apps are, where the eyeballs are and, therefore, where the attacks are," said Andreas Antonopoulos, senior vice president and founding partner of Nemertes Research.[...]
|
|
Rating: 12345
 

Tens of millions still opening junk e-mail

(Dave Rosenberg, CNET) In this day and age of technological advancement and digital lifestyles, it's incredible to me that nearly half of a recently surveyed audience opened junk e-mail (aka spam), intentionally.

According to a new survey report, tens of millions of users continue to respond to spam in ways that could leave them vulnerable to a malware infection or bot network. The results of the survey show that nearly half of the users have opened spam, clicked on a link in spam, opened a spam attachment, replied, or forwarded it - all activities that leave consumers susceptible to fraud, phishing, identity theft, and infection.



Read more by following the "full article" link.
|
|
Rating: 12345
 

Top 6 Security Myths and How to Beat Them

(Kenneth van Wyk, Computerworld) Should it really be necessary for a consumer to be a security  expert to safely use a computer? We get disgusted that users keep falling for old tricks. But what are we doing to actually help these people?

We should start by better understanding the misconceptions about e-mail and Web site safety that pervade the user base. For example:
  1. If an e-mail looks authentic, it is safe
  2. This e-mail came from someone I know, so I know it's safe
  3. If a friend on Facebook or Twitter posts a link, it's safe
  4. If I merely view a message, without clicking on any attachments or links, I'm safe
  5. If I go to the URL, but don't do anything while I'm there, I'm OK
  6. If my browser displays the locked padlock, then the site is secure
Our systems - from their operating system cores and through the e-mail clients, Web browsers, etc. - need to help our users do things securely.

Read more by following the "full article" link.
|
|
Rating: 12345
 

What Are the Most Underrated Security Technologies?

(Bill Brenner, ComputerWorld) The security community has grown to depend on some basic technologies in the fight against cyber thieves. Here are four techniques and related technologies several cited as underrated in today's security fight.

1. Whitelisting
Application security is something companies increasingly worry about, as the number of business and personal apps proliferate. One of the more overlooked features of the technology is whitelisting - the art of allowing only traffic known to be valid to pass through the gate; thus providing an external input validation shield over the application.
2. Data encryptors and/or shredders
You need shredding machines to securely dispose of unnecessary or unscanned records and data encryption to protect the necessary scanned ones.
3. CPU stress testers
It seems that the current state of firmware security, even in case of such reputable vendors as Intel, is quite unsatisfying.
4. Firewalls and AV
Firewalls and AV may no longer get the glory, but many regard them as absolutely necessary parts of any network security posture.
|
|
Rating: 12345
 

Spam plague in February and more to come

(Mis Asia Writer, Network World) Global spam volume grows by 25 per cent. A new research revealed a surge in spam levels in February 2010 to make up 89.4% of all e-mails.

Spam levels in Hong Kong reached 90.6% and virus activity in China was the highest in the world in February, according to Symantec's latest MessageLabs Intelligence Report. In Singapore, one out of every 319.2 e-mails contained a virus in a period when the total spam volume globally increased by about 25%.

In February, the most spammed industry, with a spam rate of 93.1%, was the engineering sector. Spam levels for the education sector were 90.8%, 89.3% for the chemical and pharmaceutical sector, 89.8% for IT services, 91.1% for retail, 87.6% for the public sector and 88.4% for finance.[...]
|
|
Rating: 12345
 

Security tips for large and small businesses

(Steven Andrés, PC World) Whether your business is a big fish or a small-fry home office, you can get hacked just the same, and the stakes are higher than a few canceled credit cards. Here are a few tips to protect your users and your networks - steps that even enterprise-class security specialists may slip up on.

Steps for small businesses and enterprise-class security specialists:
  1. Know Who Might Be Targeted - and How and Why
  2. Don't Take the Bait
  3. Use Unique Email Addresses to Keep Password Reset Emails at Bay
  4. Don't click on anything in email
  5. Patch Early, Patch Often
  6. Don't Let Bob Stop You From Running a Secure Network
  7. The P of P2P Is Personal, Not Business
  8. Nail Down Your Network
Read more by following the "full article" link.
|
|
Rating: 12345
 

Security of virtualization, cloud computing divides IT and security pros


(Ellen Messmer, Network World) Is moving to virtualization  and cloud computing making network security easier or harder? When some 2,100 top IT and security managers in 27 countries were asked, the response revealed a profound lack of consensus, showing how divided attitudes are within the enterprise.

The "2010 State of Enterprise Security Survey - Global Data" report shows that about one-third believe virtualization and cloud computing make security "harder," while one-third said it was "more or less the same," and the remainder said it was "easier." [...]

The survey showed that the median annual budget for enterprise security in 2010 is $600,000, an 11% increase over 2009, with yet another 11% increase anticipated in 2011.[...]In fact, 40% of the respondents indicated their organizations were currently using applications in the cloud in some way -- yet 40% said it would be more difficult to prevent or react to data loss under their firm's cloud-computing strategy.[...]
|
|
Rating: 12345
 

America's 10 most wanted botnets

(Ellen Messmer, Network World) Botnet attacks are increasing, as cybercrime gangs use compromised computers to send spam, steal personal data, perpetrate click fraud and clobber Web sites in denial-of-service attacks. Ranked by size and strength, these article presents the 10 most damaging botnets in the U.S.

1. Zeus
Compromised U.S. computers: 3.6 million. Main crime use: The Zeus Trojan uses key-logging techniques to steal sensitive data such as user names, passwords, account numbers and credit card numbers.
2. Koobface
Compromised U.S. computers: 2.9 million. Main crime use: This malware spreads via social networking sites with faked messages or comments from "friends."
3. TidServ
Compromised U.S. computers: 1.5 million. Main crime use: This downloader Trojan spreads through spam e-mail, arriving as an attachment.[...]

Read more by following the "full article" link.
|
|
Rating: 12345
 

Spammers exploiting more news stories

(Lance Whitney, CNET News) "Bomb Blast." "Jackson is still alive: proof." "Obama cursed by Pope." These are just a few of the subjects used by cybercriminals last year to trick people into opening malware-infected e-mails.

Spam that uses the latest news headlines was just one of the hot trends last year in the world of cybercrime, according to McAfee's "Q4 Threats Report", released Tuesday. The latest threat assessment also noted a rise in "hacktivism," or politically motivated cyberattacks.

Though spam levels in the fourth quarter actually dropped by 24% from the third quarter, the daily volume of junk mail around the world still averaged 135.5 billion per day. To reach that level, spammers relied heavily on news stories, especially tragedies.


|
|
Rating: 12345
 

Defining and designing email security

(by hjkim, MailRadar Community) When most people think about email security, they think in terms of virus and spam protection. The typical questions are: 'How do I protect my users from viruses and spam?', 'What about phishing?', 'How are Trojans and other threats stopped?'. What is missing is a comprehensive, holistic approach to email security.

The above are some of the issues that a company needs to consider. However, there are many other issues that need to be addressed:

  1. Educating the employees and helping them understand how security affects their livelihood
  2. Reviewing physical security regularly
  3. Checking the network security
  4. Validating the administrators managing your email server
  5. Software security


Email security encompasses much more than just anti-virus and spam protection. The biggest threat does not occur outside of the company; most of the threats are within the company where information can be easily shared and hacked.


 
 
|
|
Rating: 12345
 

Spam traps catch 95% of email sent

(Matthew Broersma, ZDNet UK) Less than five percent of all email is delivered to mailboxes, as the rest is junk blocked by spam-fighting efforts, according to Enisa, the European Network and Information Security Agency.

While anti-spam measures are well used by providers, junk email remains a key problem for them and takes up a large part of their annual budgets, according to the report. [...] One-quarter of very small providers said they spent more than €10,000 (£8,700) per year on fighting spam, and one-third of very large providers invested more than €1m per year.

"The data on aborted SMTP connections and filtered emails seems to show that anti-spam measures are currently highly effective," study says. The result is that only 4.4% of all email was delivered, down from 6% in Enisa's last spam report 2 years ago.

The agency noted that many providers, though not all, currently use collaborative measures to fight junk mail, such as working with spam-sending ISPs to eliminate the problem. It recommended that more service providers should work together on the problem.
|
|
Rating: 12345
 

10 email scams to watch out for

(Debra Littlejohn Shinder, TechRepublic) If it seems like you’re getting hit with more email scams than ever, you’re right. Email scams have been with us since the Internet went commercial back in the early 1990s. But scammers have gotten more sophisticated, and some of the more recent email scams are harder to detect — unless you know what you’re looking for.

Let’s look at some of the email scams that are currently going around the Internet and how you (and your users) can recognize them and keep from being victimized by them:
  1. Fake Facebook “friend” messages
  2. Fake admin messages
  3. Fear-mongering messages
  4. Account cancellation scams
  5. Bogus holiday cards
  6. Phantom packages
  7. Threats from the government
  8. Census survey says…
  9. In Microsoft (or Apple or Dell or HP) we trust
  10. You’re a winner! [...]
View the original article and learn more about email scams by clicking on the "full article" link.
|
|
Rating: 12345
 

Spam Volume Doubles and Is More Likely to Be Malicious

Marshal TRACE Midyear Threat Report Warns 45 Percent of Internet Users Are at Risk From New Cyber Criminal Tactics

Cyber criminals are using 'blended attacks' to distribute malware and links to hacked websites via email on an unprecedented scale. Unpatched browsers are putting more than 45 percent of Internet users at risk when they visit legitimate Websites infected with malicious code. Three botnets are responsible for 75 percent of all spam, pumping out billions of messages every hour through zombie clients and being used to launch mass attacks on Websites. These are the key findings of the Marshal Threat Research and Content Engineering (TRACE) report for the first half of 2008.

In an alarming new development, spam sent from webmail accounts that had been automatically created using CAPTCHA-breaking technology was seen to be on the increase, rendering common anti-spam defenses such as reputation less effective. CAPTCHA or Completely Automated Public Turing Test to tell Computers & Humans Apart was developed by Carnegie Mellon University to prevent spam robots exploiting Web forms.
|
|
Rating: 12345
 

Companies Struggle to Keep Data Safe

A staggering 94% of companies admit that they are powerless to prevent confidential data from leaving their company by e-mail, according to a new study from Mimecast.

It found that only 6% of respondents were confident that anyone attempting to send confidential information by e-mail out of the organization, would be prevented from doing so. The study also showed that 32% of companies would not even be aware that confidential information had been leaked, and therefore would be unable to take steps to minimize the damage or track down the source of the information.

However 62% said they would be able to retrospectively identify the e-mail leak once the information had been sent, but they did confess to being unable to prevent its disclosure.

"The figures show that organizations haven't nailed down the e-mail channel," said Tim Pickard, marketing director at Mimecast. "E-mail protection is catching on as a technology that manages information, as the industry moves away from protect-and-defense, to becoming more aware how information flows around the organization."
|
|
Rating: 12345
 

The 25 Most Common Mistakes in Email Security

This comprehensive article from itsecurity.com presents 25 most common mistakes email users make and useful tips on how to prevent them, or as they say "25 tips to bring newbie Internet users up to speed so they stop comprimising your network security." Here is what you should keep in mind:

Properly managing your email accounts
1. Using just one email account.
2. Holding onto spammed-out accounts too long.
3. Not closing the browser after logging out.
4. Forgetting to delete browser cache, history and passwords.
5. Using unsecure email accounts to send and receive sensitive corporate information.
6. Forgetting the telephone option.
|
|
Rating: 12345
 

The Real Issue Around Server Virtualization Security

There is a general paranoia about server virtualization in the security community that goes something like this. The server virtualization hypervisor acts as a resource switch enabling multiple virtual hosts to share a single physical system. In theory, if you compromise the hypervisor, you gain access to every virtual host along for the ride. Imagine an instance where 50 hosts live on a single Intel server and you can see that a hypervisor attack could have extremely serious ramifications.

Yes, this is theoretically possible, but virtualization vendors understand this threat and are pretty conscientious about protection. [..] So what is it about server virtualization that should really keep chief information security officers up at night? A more pedestrian worry--lack of control. In a virtual server world, IT administrators can clone virtual hosts, move them around, or turn them on and off by accident or with malicious intent. What happens when an IT administrator moves a critical database server instance without re-configuring application servers or the network?  How about when someone mistakenly adds a test server to the production network? The security "uh-oh" possibilities are endless.
|
|
Rating: 12345
 

Google: Spam, Virus Attacks to Get More Clever

Spam and virus threats to enterprise messaging security and compliance may level off this year compared to 2007, but social engineering techniques are evolving to challenge businesses and security software providers, according to a new report released by Google's Postini team.

The report, released March 6 after Google's Postini team commissioned the study to survey 575 IT professionals, found that Postini data centers recorded 57 percent more spam and virus attacks in 2007 compared to 2006.

The size of spam e-mails also increased considerably as spammers included images, .pdf files, documents, spreadsheets and even multimedia files to spoof spam filters, according to report author Adam Swidler, senior solutions marketing manager for Postini.
|
|
Rating: 12345
 

Email Management For Dummies

Understand the basic facts about email management -- what it is and why you need it.

What is email management?
Email management encompasses four areas: Security, Backup/Storage/Recover, Spam and Virus Protection, and Compliance. Each of those categories can be subdivided by technology class and coverage. While not every company will need top of the line products in all categories, no business, regardless of size, should be completely vulnerable in any area. As with almost all business decisions, the trick is finding the solution that matches a business' needs without providing unnecessary features or costs.
|
|
Rating: 12345
 

How Does a Mail Server Respond to Fake Email Addresses?

During a security assessment, I found that I could connect to the SMTP gateway using Telnet. I tried sending mail from a fake domain, but it was detected as a mail relay and stopped. When I sent messages to fake employees inside the organization's domain, however, the mails were accepted. Can this be termed as a mail relay vulnerability? Can this be exploited for purposes other than social engineering? Most importantly, what is the best possible resolution?

What you describe is actually a very common situation and is not a cause for alarm. You can Telnet to most mail servers on TCP port 25 and send messages to the organization that uses the particular server. But, you should not be able to send email to other organizations. If you could, a spammer would find that mail server and use it to relay spam.

So, what actions should the mail server take if the destination email address is fake?
|
|
Rating: 12345
 

How do your Blacklist Stats Compare?

IP Reputation and Blacklists are one of the most effective and common forms of blocking Spam from ISP and Telco email servers, but which ones are effective and how do they compare.

Well, it depends of course on the type of ISP and the demographics of it's users, for instance ISP's with a large user base on one domain will suffer from different patterns than the ISP with hundreds of domains, but only 1000 accounts.

LinuxMagic MagicMail Servers have had a built in ability to monitor the performance of individual blacklists in use fro some time now, and it might be helpful to other administrators to look at example stats from live environments to compare how their choices in active blacklists or IP reputation blocking may stack up. Blocking by IP reputation can reduce the overhead, and bandwidth significantly, vs traditional filtering.

In the first example, an ISP of more than 100k users was examined, and compared with one of the leaders in the industry, Spamhaus which was still the single most effective list tested. The stats do show that a combination of lists is the most effective blocking app.

75% of all inbound connections. (Rate limiting prevents the worst offenders otherwise this number would be much higher) Spamhaus has several lists available, and at the time of writing, comparison was only made against the XBL List for the larger ISP. (It should be noted that ZEN will have a higher rate of blockage) XBL alone could block app. 50% of the traffic.

The second most effective list would be the UCE-PROTECT lists, at app. 30-50% depending on the use of UCE-1 or UCE-2. PSBL and SORBS-DUL came in around 27% and SPAMRATS came in around 12%. Many IP addresses on various lists overlap, with unique counts generally being less than 10%.

One noted exception is MIPSPACE, but this is not a blacklist per se but a listing of companies and networks allowing or engaging in commercial email marketing, vs the more traditional sources of Spam. Over the last year, this type of email is becoming the most agressive increase, reaching 10% of all inbound connections. Looking at a smaller ISP with many domains, eg hosting companies, we see a different trend. IP reputation is much more important. 88% of all inbound connections are blocked with IP reputation, and in this case we have numbers on SPAMHAUS Zen, which show this as the single most effective list, with 80% blockage rates. (Again, these numbers may have been higher without rate limiters in effect) UCE again is the second most effective, with app. 40-50% blockage rates, depending on the use of UCE, 1,2,3. PSBL shows a higher capture rate in this environment as well, with app. 40% blockage rates, as with SORBS-DUL at 38%.

SORBS also shows a slightly higher rate of uniques in this environment as well. SPAMRATS in this case also increase to 18%. There are many other reputation lists available, and it is up to individual administrators to weigh their effectiveness vs a risk of false positives, but it is still obvious that IP reputation checks in the email servers is still the single most productive tool at your disposal. Even the smallest list tested had over 1 million IP's that have been determined to have been used to launch either Spam attacks, or dictionary attacks.
|
|
Rating: 12345
 

Linux-Based E-mail Scanners

A short presentation of MailScanner and ClamAV, as free email scanners alternatives for Linux, from ServerWatch:

I've never been comfortable with Windows-based e-mail scanners because they run on the same porous, malware friendly platform they're supposed to protect. Paying big bucks for software licensing fees year after year isn't a very attractive proposition either.

Fortunately, there are powerful, free alternatives, like MailScanner and ClamAV. Using these two together delivers stout protection again viruses, spam, phishes, and all manner of e-mail-borne malware. Both run on just about any Linux or Unix-type operating system, so you have the benefit of choosing your favorite operating system as well as the benefits of superior security, efficiency and performance.

ClamAV just keeps getting better. It installs with a nice set of default options, and thus requires minimal tweaking. It defaults to checking for new virus signatures several times per day, and it can scan outgoing mail. You should definitely scan outgoing e-mail — if this were a routine practice, 90 percent of e-mail would not be spam or malware.....
|
|
Rating: 12345
 

Mail injection through WebMail applications

This article describes an attack method against Web applications that communicate with mail servers, particularly WebMail applications. Some of the applications that are vulnerable to the mail injection threat can be exploited and forced to send arbitrary commands through e-mail protocols such as IMAP and SMTP. Hopefully, this information will prove useful to auditors and mail server code developers.
|
|
Rating: 12345
 

Exchange 2007 SP1 is now available

Microsoft Thursday shipped Exchange 2007 Service Pack 1 that includes support for the forthcoming Windows Server 2008 and enhancements to real-time communication and mobile device integration. Microsoft also made available Forefront Security for Exchange Server 2007 SP1, which includes improved content filtering and management, and support for Windows Server 2008. Even though it's a little later than previously announced, hopefully, this patch will straighten out some issues.
|
|
Rating: 12345
 

Ten Firefox extensions to keep your browsing private and secure

Most people lock their doors and windows, use a paper shredder to protect themselves from identity theft, and install antivirus software on their computers. Yet they routinely surf the Internet without giving a second thought to whether their browser is secure and their personal information safe. Unfortunately, it's easy for someone with nefarious intentions to use a Web site to glean data from -- or introduce spyware to -- your computer. Even worse, sometimes all you have to do is randomly click on a site to have your data probed in a most unwelcome way.
|
|
Rating: 12345
 
Close send to email window
 



Verification code

Already a member?
Blacklist monitoring alerts
sign up Signup for our real-time monitoring service and receive email notifications each time one of your IPs gets blacklisted.
Free Signup
Mail Server Operating System Poll
.01

What OS do you use for your email server?
Linux
Windows
Other
disabled next
.02

How many mailboxes do you currently manage?
1-50
51-300
300+
previous next
.03

Would you like to comment upon the choosing of this particular OS?

previous
 
DNS Tools
Get IP status, owner and location, obtain its corresponding hostname or check specific ports.
Ping Statistics
Reverse DNS Lookup
Whois Info (IP owner)
GeoIP Information
Check Port
Open Relay Test
Test if your mail server is an open relay for spammers.
Blacklist Checker
Check if your IP is listed in DNS based email blacklists (DNSBL)