(Mike Bantick, ITWire) Security firm Sophos has recently produced its 2010 mid-year Security Threat Report, and whilst many things remain the same, there are plenty of new security vectors for the connected among us to deal with.

If there is one thing that is clear from the latest Sophos mid-year security threat report, it is that traditional attacks on private data are still prevalent.  Perhaps the vectors are shifting but figures show Spam, Phishing and Malware are still a major source of worry for security personnel world-wide.

The Security Threat Report shows that the traditional security attacks are migrating to social networks such as Facebook and Twitter.  Since April 2009, moving into 2010 reported Spam attacks reported from social networks increased from 33.4% to 57%, Phishing from 21% to 30% and Malware from 21.2% to 36%.  It is clear that criminal activity is moving into the online worlds increasingly populated by everyday Internet users.

(Chad Perrin, TechRepublic) Email security is about a lot more than just using a good password on your POP or IMAP server. Perhaps the most important part of email security is ensuring you don’t shoot yourself in the foot.

These tips focus on the ways users break their own security rather than on protecting against the predations of malicious security crackers. Security can be violated through careless acts more easily than by outside forces.
1. Turn off automated addressing features
2. Use BCC when sending to multiple recipients
3. Save emails only in a safe place
4. Use private accounts for private emails
5. Double-check the recipient, every time — especially on mailing lists

(M.E.Kabay, NetworkWorld) The recently-released free Sophos booklet, "10 myths of safe web browsing", is a simple, short summary of some basic Web safety information that can serve our purposes in raising security consciousness and involvement.

Each of the following myths is discussed in a short paragraph:
- Myth No.1: The Web is safe because I've never been infected by malware
- Myth No.2: My users aren't wasting time surfing inappropriate content
- Myth No.3: We control Web usage and our users can't get around our policy
[...]
This booklet would make a perfect subject for a brown-bag lunchtime discussion among the IT staff; it could be used as the basis for a user-education session to spark discussion of the issues.

Read more by following the full article link.

(David Heath, ITWire) You'd think that a virtualized environment would be a safe way to encapsulate a server, but that appears to be far from the truth. Earlier this year, Gartner released its own research  into the security of virtualized environments.  The results weren't pretty.  Gartner estimated that by 2012, 60% of virtual servers will be less secure that the physical servers they replace, although this is expected to drop to 30% by the end of 2015.

The Gartner report identified six major categories of risk:
- Information security isn't initially involved in the virtualization projects
- A compromise of the virtualization layer could result in the compromise of all hosted workloads
- The lack of visibility and controls on internal virtual networks created for VM-to-VM communications blinds existing security policy enforcement mechanisms
- Workloads of different trust levels are consolidated onto a single physical server without sufficient separation
- Adequate controls on administrative access to the hypervisor/VMM layer and to administrative tools are lacking
- There is a potential loss of separation of duties for network and security controls

"Virtualization is not inherently insecure," said Neil MacDonald, vice president and Gartner fellow. "However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants."  However, according to a BeyondTrust spokesman, "that hasn't stopped 90% of virtualized data centers from putting their most sensitive data on virtualized servers."

(Tom Brewster, ITPro) Malware levels have reached new heights as the first six months of 2010 proved to be the most active for malicious file activity on record, McAfee has reported.

There were 10 million new pieces of malware logged in the first six months of this year, while 6 million were discovered in the second quarter alone.

Threats were most likely to emanate from portable storage devices like USBs, while fake anti-virus software was the second most popular choice among malicious file spreaders. Social media-specific malware was the third most common basis for attacks.

(Robert McMillan, ComputerWorld) You know to keep your antivirus program and patches up to date, to be careful where you go on the Internet, and to exercise online street-smarts to resist being tricked into visiting a phishing site or downloading a Trojan horse. But when you've got the basics covered, but you still don't feel secure, what can you do?

Here are a few advanced security tips to help you thwart some of today's most common attacks:
1. Avoid scripting - This may be the one piece of advice that will do most to keep you the safe on the Web: steer clear of JavaScript, especially on sites you don't trust.
2. Back out of rogue antivirus offers - Rogue antivirus programs have emerged as one of the most annoying security problems of the past few years.
3. Sharpen your password game - People have to remember too many passwords on the Internet. Everyone knows this, but most of us get around the problem by using the same username and password over and over.Hackers know this as well, and they're happy to use it against you.

Read more by following the "full article" link.

(Ellen Messmer, Network World) Spam continues to grow largely due to the growth in malicious botnets. Many botnets are command-and-control systems used by criminals and are still the main way that spam is spewed into your e-mail box. A recent report states that the worldwide spam volume has now climbed to 230 billion messages per day, up from 200 billion at the start of 2010.

M86 Security has created the "Top Ten Most Wanted" Spam-Spewing Botnets list, many of them are believed to be controlled in Eastern Europe by criminals who manipulate compromised systems, mostly PCs, around the world to generate spam:
1. Rustock (generating 43% of all spam)
2. Mega-D (10.2%)
3. Festi (8%)
4. Pushdo (6.3%)
5. Grum (6.3%)
6. Lethic (4.5%)
7. Bobax (4.3%)
8. Bagle (3.5%)
9. Maazben (2.0%)
10. Donbot (1.3%)

Read more by following the "full article" link.

(Brad Reed, NetworkWorld) Like all good things, the increase in speed and power comes with greater risks: added data capacity, connection speeds makes 4G smartphones more vulnerable. This article describes what any smart IT department should know before allowing a 4G device onto its network.

The increased mobile data usage is only expected to intensify in the enterprise as more executives could try to use their favorite devices for both work and personal use. Mike Siegel, a senior director of product management at McAfee, says this will put a particular strain on IT departments' abilities to protect data across multiple operating systems and applications. "We have senior executives now who are pushing on IT to support Android or iPhone," he says. "With iPhone and Android, you have a propagation of applications that have connections back to sensitive corporate data in the cloud. So these devices now are very much a data leakage vulnerability."

What is to be done? Read more by clicking the "full article" link.

(Hannah Douglas, ITPro) In a time of threats to corporate data and costly breaches, companies aren’t doing enough to protect sensitive information, according to research.

According to a newly released report, sponsored by a data protection and management group, 52% of the nearly 300 IT security professionals surveyed do not encrypt the data on USB drives they use to carry company data.

The type of unprotected data reported by respondents was not insignificant, with 67% intellectual property, 40% customer data and 26%  employee details. Incidents of lost or stolen devices were also mentioned in the study, which said that 11% of the sample had experienced a breach recently.

(Carrie-Ann Skinner, NetworkWorld) Cybercriminals sent 3.7 billion phishing emails over the last year, in a bid to steal money from unsuspecting web users, says CPP. 25% of Brits have been victims of scams, losing on average £285.

A new research revealed that 55% of phishing scams are fake bank emails, which try and dupe web users into giving hackers their credit card number and online banking passwords. Hoax lottery and competition prize draws and 'Nigerian 419' scams that involve email requests for money from supposedly rich individuals in countries such as Nigeria, were also among the most popular phishing emails.

CPP also revealed social networking scams are on the rise. Nearly one fifth of Brits have received phoney Facebook  messages claiming to be from friends or family in the past year. One in 10 fear that fraudsters are using Twitter to follow them, while a third are concerned their social networking account could be hacked.

"It seems that not a day goes by without a new case of online fraud hitting the headlines. But what's concerning is that consumers are still falling victim," said Nicole Sanders, an identity fraud expert at CPP.

(Mary Brandel, NetworkWorld) Cloud computing is one of the most-discussed topics among IT professionals today. And not too long into any conversation about the most highly touted cloud models - software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS) - the talk often turns to cloud security.

According to Milind Govekar, an analyst at Gartner, cloud has rocketed up the list from number 16 to number two in Gartner's annual CIO survey of key technology investments. "Like with anything new, the primary concern is security," he says. In fact, the vast majority of clients who inquire about cloud, he says, would rather create a virtualized data center on their own premises - what some call a private cloud - because they're uncomfortable with the security issues raised by cloud computing and the industry's ability to address them.

"We are in the early stages of a fascinating journey into a new computing model that, for all its purported advantages, from a security and risk point of view, is a difficult thing to deal with," agrees Jay Heiser, an analyst at Gartner.[...] For this reason securing cloud computing environments will be a major focus of vendor efforts over the next year, says Jonathan Penn, an analyst at Forrester Research. In the short term, he sees users having to do a lot of the legwork, but over time, "cloud providers themselves will see the opportunity to differentiate themselves by integrating security," he says.

(Tim Lohman, Computerworld) Almost by the day, enterprises are becoming more receptive to the consumerisation of IT and introduction of mobile devices and platforms into their environment. But introducing smartphones, netbooks or newer technologies such as the iPad and e-readers, can pose security issues to an organisation - and to any customer or business included in the data held on the devices.

Threats such as Trojans and drive-by-downloads which attack and exploit unpatched vulnerabilities in software installed on an endpoint, rogue security applications, spyware, botnets, worms, viruses and phishing attempts are all threats that apply as much, if not more-so, to consumer devices as office-bound PCs. And once commercial data makes its way onto an employee's device, which is often unmanaged, the enterprise can no longer control its spread or usage. [...]

IT managers must also bear in mind that while employee devices perform a dual role - as a personal device and a company device - the protection of any organisational data held on the devices is totally up to the company, says senior marketing manager for Websense, David Brophy.[...]

(Dancho Danchev, ZDNet) New research indicates that 1.3 million malicious ads are viewed per day, with 59% of them representing drive-by downloads, followed by 41% of fake security software also known as scareware.

More findings from the Dasient research:
- The probability of a user getting infected from a malvertisement is twice as likely on a weekend and the average lifetime of a malvertisement is 7.3 days.
- 97% of Fortune 500 web sites are at a high risk of getting infected with malware due to external partners (such as javascript widget providers, ad networks, and/or packaged software providers).
- Fortune 500 web sites have such a high risk because 69% of them use external Javascript to render portions of their sites and 64% of them are running outdated web applications.

The research’s findings are also backed up by another recently released report by Google’s Security Team, stating that fake AV is accounting for 50% of all malware delivered via ads.

(Linda Musthaler & Brian Musthaler, NetworkWorld) Symantec has published its annual in-depth threat report and recommendations on how to improve enterprise security.

Based on multiple sources, the report presents an in-depth view of what threats exist on the Internet today, and what the trends are over a span of years. For example:

1. There continue to be many targeted attacks on enterprise organizations.
2. Web-based attacks are still common, and they are the primary means to install malicious code on computers.
3. More than 240 million distinct new malicious programs.
4. Executable file sharing has become the primary means of transmission of infections, especially for viruses and worms.
5. Botnets are responsible for distributing 85% of spam.[...]

(Wolfgang Gruener, ConceivablyTech) MessageLabs has released a new issue of its monthly intelligence report, which reveals interesting statistics of spam originating from client computers that are infected by botnets. Not surprisingly, most spam comes from Windows users, but Linux systems are five times more likely to be sending spam than Windows. And: There is virtually no spam that is sent from Apple Mac computers.

Spam still accounts for nine out of ten emails (89.9%) sent, one in 341 emails contains malware and one in 455 emails carries a phishing attack. Spam is dominated by botnets that infect client computers around the globe and use their connectivity to send out emails.[...]The entire spam volume caused by all botnets currently monitored is about 121 billion messages per day from up to 5.6 million computers. Non-botnet spam is only 7 billion messages per day, bringing the total spam volume to just above 128 billion messages per day.

If we look at the PCs that are controlled by the botnets and that are sending the spam, and break them down by operating system, MessageLabs’ data shows, not surprisingly, that 92.65% of all spam came from Windows machines, 0.001% from Mac OS X systems and 5.14% from Linux computers in March 2010.

(Jon Oltsik, NetworkWorld) Large organizations now realize that endpoint security (and management) extends beyond PCs to mobile devices like Blackberrys, Droids, iPhones, iPads. Mobile device security is one of those areas that should get more attention. Users want better data security and integrated solutions.

So which security technologies are most important for mobile device protection? According to a recent ESG Research survey, here are the top 5:

1. Device encryption (51% of respondents rated this as "very important", 34% rated this as "important")
2. Device firewall (48% of respondents rated this as "very important", 37% rated this as "important")
3. Strong authentication (46% of respondents rated this as "very important", 41% rated this as "important")
4. Antivirus/Anti-spam (45% of respondents rated this as "very important", 37% rated this as "important")
5. Device locking (44% of respondents rated this as "very important", 41% rated this as "important")

(Veronica C. Silva, MIS Asia, NetworkWorld) A new report on consumer online behaviour and criminal activities on the Internet noted that new security threats have recently emerged, prompting the implementation of a mix of security solutions to protect unsuspecting victims.

Blue Coat's annual 'Blue Coat Web Security Report for 2009' released recently noted that security solutions are finding it difficult to keep up with the rapid attacks by cyber criminals. The popularity of social networking activities online is also making the Internet more vulnerable to recent attacks. The report noted that social networking sites accounted for 25% of activity among the top 10 URL categories last year. Web-based e-mail, on the other hand, dropped in popularity from fifth place in 2008 to ninth in 2009.

"The battlefield for information security against identity theft and cyber crime is the Web. The Web, and especially social media, is where the apps are, where the eyeballs are and, therefore, where the attacks are," said Andreas Antonopoulos, senior vice president and founding partner of Nemertes Research.[...]

(Dave Rosenberg, CNET) In this day and age of technological advancement and digital lifestyles, it's incredible to me that nearly half of a recently surveyed audience opened junk e-mail (aka spam), intentionally.

According to a new survey report, tens of millions of users continue to respond to spam in ways that could leave them vulnerable to a malware infection or bot network. The results of the survey show that nearly half of the users have opened spam, clicked on a link in spam, opened a spam attachment, replied, or forwarded it - all activities that leave consumers susceptible to fraud, phishing, identity theft, and infection.

(Mis Asia Writer, Network World) Global spam volume grows by 25 per cent. A new research revealed a surge in spam levels in February 2010 to make up 89.4% of all e-mails.

Spam levels in Hong Kong reached 90.6% and virus activity in China was the highest in the world in February, according to Symantec's latest MessageLabs Intelligence Report. In Singapore, one out of every 319.2 e-mails contained a virus in a period when the total spam volume globally increased by about 25%.

In February, the most spammed industry, with a spam rate of 93.1%, was the engineering sector. Spam levels for the education sector were 90.8%, 89.3% for the chemical and pharmaceutical sector, 89.8% for IT services, 91.1% for retail, 87.6% for the public sector and 88.4% for finance.[...]

(Ellen Messmer, Network World) Botnet attacks are increasing, as cybercrime gangs use compromised computers to send spam, steal personal data, perpetrate click fraud and clobber Web sites in denial-of-service attacks. Ranked by size and strength, these article presents the 10 most damaging botnets in the U.S.

1. Zeus
Compromised U.S. computers: 3.6 million. Main crime use: The Zeus Trojan uses key-logging techniques to steal sensitive data such as user names, passwords, account numbers and credit card numbers.
2. Koobface
Compromised U.S. computers: 2.9 million. Main crime use: This malware spreads via social networking sites with faked messages or comments from "friends."
3. TidServ
Compromised U.S. computers: 1.5 million. Main crime use: This downloader Trojan spreads through spam e-mail, arriving as an attachment.[...]

Read more by following the "full article" link.

(Lance Whitney, CNET News) "Bomb Blast." "Jackson is still alive: proof." "Obama cursed by Pope." These are just a few of the subjects used by cybercriminals last year to trick people into opening malware-infected e-mails.

Spam that uses the latest news headlines was just one of the hot trends last year in the world of cybercrime, according to McAfee's "Q4 Threats Report", released Tuesday. The latest threat assessment also noted a rise in "hacktivism," or politically motivated cyberattacks.

Though spam levels in the fourth quarter actually dropped by 24% from the third quarter, the daily volume of junk mail around the world still averaged 135.5 billion per day. To reach that level, spammers relied heavily on news stories, especially tragedies.

(Linda McGlasson, Bank Info Security) Bogus security software applications are among the types of electronic crimes that grew 585% over the first half of 2009, according to a new study. The Anti Phishing Working Group's (APWG) latest report shows that rogue anti-malware programs, infected computers and crimeware broke new records in the first half of 2009.

Other important conclusions drawn through this analysis:

1. The number of unique phishing websites detected in June rose to 49,084, the second-highest recorded since APWG began reporting this measurement.
2. The number of hijacked brands ascended to an all-time high of 310 in March and remained at an elevated level to the close of the half in June.
3. The total number of infected computers rose more than 66% to 11,937,944.
4. Payment Services became phishing's most targeted sector.
   

"The Internet has never been more dangerous", says APWG's Chairman Dave Jevans. "In the first half of 2009, phishing escalated to some of the highest levels we've ever seen."

Cisco's Annual Security Report for 2009 highlights the impact of social media, particularly social networking, on network security and explores the critical role that people, not technology, play in creating opportunities for cybercriminals. The report also discusses trends in cloud computing, spam and overall global cybercrime activities that information technology professionals continue to face.

Social media experienced explosive growth in 2009. Facebook alone tripled its active user base to 350 million over the course of the year. Social media adoption is expected to continue growing into 2010, especially as more organizations realize the value of social networks as an absolute business requirement. Social networks have quickly become a playground for cybercriminals because members of these sites put an inordinate amount of trust in the other members of their communities and often fail to take precautions to prevent the spread of malware and computer viruses.

"The blending of social media for business and pleasure increases the potential for network security troubles, and people, not technology, can often be the source. Without proper cognizance of security threats, our natural inclination to trust our 'friends' can result in exposing ourselves, home computers and corporate networks to malware", says Patrick Peterson, Fellow, Cisco. "The value of social media is becoming acknowledged increasingly by businesses, but these same organizations need to provide the proper training and education to ensure that employees avoid compromising themselves and their businesses."

The Annual Security Report also provides more information on the potentially devastating combination of minor vulnerabilities, poor user behavior, and outdated security software that can dramatically increase risks to network security.

(John E. Dunn, TechWorld ) The world is not only losing the war against spam, the situation might be about to get a whole lot worse with the emergence of a new type of automatic botnet able to thrive without direct human control, Symantec's MessageLabs division has warned.

MessageLabs reckons this is a sign that today's botnets have been modified to more quickly adapt to the loss of a particular nodes, transferring traffic through different channels in a matter of days or even hours. The speed of response necessary requires self-healing behaviour, including the use of encrypted channels for control based on P2P principles.

MessageLabs' Paul Wood predicts that during the coming year, botnets will migrate to a design based on "inbuilt self-sufficient code" able to adapt to anti-botnet activities and so improve their survival chances. The company has detected 5 million PCs that are now working on behalf of the botnets.

Previosuly considered a way of foiling the mass creation of email account to channel spam and get around reputation services based on trusting a whitelist of domains, CAPTCHA was now being defeated by individuals in sweat shops paid small sums to manually create accounts.

So what do reports such as this tell us that we might not have known a year ago? An important underlying theme is that criminality has now burrowed deep into the fabric of the Internet in ways that make tacking problems such as spam almost impossible.

(Chris Crum, WebProNews) Two weeks ago, Adobe released a critical patch for Flash Player and Acrobat Reader. According to online security company Trusteer, about 80% of users are still vulnerable, and perhaps more startling, the company views this as being possibly the biggest security hole on the Internet today.

That 80% figure is based on Trusteer's installed base of over 2.5 million online banking users of the company's security service.
"The penetration of Adobe Flash and Acrobat is unparalleled," a spokesperson for Trusteer tells WebProNews. According to Adobe, 99% of Internet users run Flash.
Reader and FlashSo so many people on the web are running Flash, and Adobe released the patch two weeks ago, why are so many still vulnerable? Trusteer thinks Adobe just has issues with distributing patches.

"Adobe is facing some major security challenges and one of its biggest hurdles is its software update mechanism.  For some reason, it is not effective enough in distributing security patches to the field," says Trusteer CEO Mickey Boodaei. "Given the lack of attention this situation has received to date, it appears that few people understand the magnitude of the problem. We recommend that all enterprises and individuals install the latest Flash and Acrobat updates immediately."

According to the same study, targeting products like Flash and Acrobat is attractive to wrongdoers because they reach such a huge portion of Internet users. Browser use is much more diversified with Internet Explorer reaching about 65% of users and Firefox reaching 30%. Targeting Adobe's products just covers a lot more people.

(Robert McMillan, TechWorld) Smartphones are set to become a prime target for criminals according to Google's head of Android security.

"The smartphone OS will become a major security target," said Android Security Leader Rich Cannings, speaking at the Usenix Security Symposium. Attackers can already hit millions of victims with a smartphone attack, and soon that number will be even larger. "Personally I think this will become an epiphany to malware authors," he said.

PCs running Windows are the prime target of criminal attacks today, and hackers have generally steered clear of mobile devices. Security experts say that this is because mobile phones haven't traditionally stored a lot of sensitive data, and because there are so many different devices to attack, it's hard to create a single virus that can infect a large number of users.

That may be changing as more and more people start using iPhones, BlackBerries, and - Google hopes - Android-based phones such as the Samsung I7500.

Google was late to market with an iPhone competitor - G1, the first Android system shipped in October 2008 - but the company hopes to make up ground by making its platform more open and appealing to developers. Android uses open-source components, and Google places fewer restrictions on device makers and application developers than Apple.

(Michael Kassner, TechRepublic) There seems to be a run on e-mail induced malware lately. It seems that e-mail as a malware delivery vehicle is getting a second wind. E-mail attachments and links are popular methods for bad guys to install malware on computers. So it’s important to understand what to do when you get an e-mail that has an attachment or link in the e-mail message body.

E-mail attachments are files that accompany e-mail messages. Attachments can be one of two things:

1. The actual file or document designated in the e-mail.
2. A copy of the expected attachment that has malware embedded in it.

E-mail links are the underlined phrases in e-mail messages that simplify going to a specified Web site. Clicking on a link can cause one of three things to happen:

1. The link opens the correct Web page referred to in the email.
2. The link activates a malware program embedded in the e-mail message.
3. The link is spoofed. It opens a Web page similar to the correct page, but with malware embedded in it.

Activating malware
E-mail malware requires user intervention to get started. It’s that simple. The bad guys will try any method possible to entice you to open an attachment or click on a link. One of their favorite tricks is to pretend that the e-mail is from someone you know. That way you have no reason to be suspicious.

Spread to other computers
Once installed, the malware will immediately try to infect other computers by sending out e-mail messages with the same infected attachment to all the e-mail addresses it found on the newly-infected computer.
Those recipients will more than likely open the e-mail attachment as well, because it appears to be from someone they know. So it’s not hard to see that this process will quickly overrun every computer on the network

(Chad Perrin, TechRepublic) E-mail security is about a lot more than just using a good password on your POP or IMAP server. Perhaps the most important part of e-mail security is ensuring you don’t shoot yourself in the foot. These best practices will help you avoid any mistakes.

There’s a lot of information out there about securing your e-mail. Much of it is advanced and doesn’t apply to the typical end user. Configuring spam filters such as SpamAssassin, setting up encrypted authentication on mail servers, and e-mail gateway virus scanner management are not basic end-user tasks.

The following is a list of some important security tips that apply to all e-mail users - not just users of a specific application. The first five are listed in the order one should employ them, from the first priority to the last. This priority is affected not only by how important a given tip is, but also by how easy it is to employ. The easier something is to do, the more likely one is to actually do it and move on to the next tip. The last five pointers are best practices that will help prevent users from making careless mistakes.

Never allow an e-mail client to fully render HTML or XHTML e-mails without careful thought.
At the absolute most, if you have a mail client such as Microsoft Outlook or Mozilla Thunderbird that can render HTML e-mails, you should configure it to render only simplified HTML rather than rich HTML - or “Original HTML,” as some clients label the option. Even better is to configure it to render only plain text. When rendering HTML, you run the risk of identifying yourself as a valid recipient of spam or getting successfully phished by some malicious security cracker or identity thief. My personal preference is, in fact, to use a mail user agent that is normally incapable of rendering HTML e-mail at all, showing everything as plain text instead.

If the privacy of your data is important to you, use a local POP3 or IMAP client to retrieve e-mail.
This means avoiding the use of Web-based e-mail services, such as Gmail, Hotmail, and Yahoo! Mail for e-mail you want to keep private for any reason. Even if your Webmail service provider’s policies seem sufficiently privacy-oriented to you, that doesn’t mean that employees won’t occasionally break the rules. Some providers are accused of selling e-mail addresses to spamming “partners.” Even supposedly security-oriented Webmail services, such as Hushmail, can often be less than diligent in providing security to their users’ e-mail.

(Dancho Danchev, ZDNetSecurity) Which is the most dangerous keyword to search for using public search engines these days? It’s “screensavers” with a maximum risk of 59.1 percent, according to McAfee’s recently released report “The Web’s Most Dangerous Search Terms“.

Upon searching for 2,658 unique popular keywords and phrases across 413,368 unique URLs, McAfee’s research concludes that lyrics and anything that includes "free” has the highest risk percentage of exposing users to malware and fraudulent web sites. The research further states that the category with the safest risk profile are health-related search terms.

Here are more findings:

1. The categories with the worst maximum risk profile were lyrics keywords (26.3%) and phrases that include the word “free” (21.3%). If a consumer landed at the riskiest search page for a typical lyrics search, one of four results would be risky
2. The categories with the worst average risk profile were also lyrics sites (5.1%) and “free” sites (7.3%)
3. The categories with the safest risk profile were health-related search terms and searches concerning the recent economic crisis. The maximum risk on a single page of queries on the economy was 3.5% and only 0.5% risky across all results. Similarly, even the worst page for health queries had just 4.0% risky sites and just 0.4% risk overall

This isn’t the first time McAfee is attempting to assess the risk percentage of particular search terms, as the company did similar studies in 2006 and 2007. And whereas the research attempts to raise awareness on malicious practices applied by cybercriminals, it also has the potential to leave a lot of people with a false feeling of security since it’s basically scratching the surface of a very dynamic problem.

(Jennifer Bosavage, ChannelWeb) A new survey finds that IT security professionals are suffering from "password fatigue" when it comes to using their mobile devices.

Credant Technologies, an endpoint data security vendor, surveyed 227 IT professionals for its study, many of whom were from companies with more than 1,000 employees. Thirty-five percent responded that they just don't get around to using passwords on their business phones and smartphones, although they may contain sensitive and confidential information.

The study found that IT professionals are only marginally better at using passwords than the general population; A survey conducted earlier in the year by Credant found that 40 percent of all users don't use passwords on their mobile phones. Different types of sensitive information are kept unprotected on smartphones and mobiles. For example, 23 percent said they store business e-mails, 12 percent have bank account details and 5 percent have credit card information unprotected on their devices.

(Kevin Beaver, CISSP TechTarget) As businesses continue to integrate Linux into their existing Windows infrastructures, extending Active Directory functionality to accommodate these systems is becoming more appealing. Many shops already run some combination of Samba/Winbind, PAM, and OpenLDAP that offer up Windows authentication services, among other things. Although some admins are looking ahead for ways to replace Active Directory altogether (a goal of Samba 4), don't hold your breath - Samba 4 has been four years in the making. There are commercial solutions for Active Directory/Linux integration available from vendors such as Quest, Centrify, and Likewise. So the need and the solutions are there. But, of course, it's not that simple - at least if security is on your radar.

Whether you've already started down the path of integration or have it on the docket for the near future, there are some Active Directory-centric security issues you need to be aware of. Like acquiring a new company and taking on its business processes and codebase, you're going to get the warts and all when you incorporate Active Directory into the Linux realm (or vice versa). You'll suddenly have all the security issues that come along with Active Directory – some of which will undoubtedly have some unintended consequences in your environment.

First off, dependence on Active Directory as your sole directory service and security policy enforcer can create a single point of failure. When Active Directory goes down – or goes away – because of some unintended outage, design oversight, or mismanagement, your network services can come to a halt. This is the least likely of scenarios - but you still need to consider it.

Another common weakness with Active Directory is the lack of separation of duties. Simply put every admin has full access to the system and there's no real accountability. Be it via general security groups or admin access at the OU (or similar) level, there needs to be some sort of separation if multiple hands are allowed access.

You also have issues with password policies – or lack thereof. This is probably the most common weakness I see related to Active Directory security. Interestingly, admins will go out of their way creating well thought-out security controls such as one-way trusts, GPOs (group policies) for locking down workstations and so on but minimal – and reasonable – password requirements are often missing.

(Joe Rosberg, TechRepublic) Most of us have seen those spoof e-mails, when a personal e-mail address has been commandeered for the purpose of sending spam, but in this case, to everyone in your Address Book.

Here are a few ways it could happen:
Malware of some sort found its way onto your computer, and its sole purpose is to harvest e-mail addresses, which are then sent along to someone else for the purpose of sending spam e-mails.
Someone who has your e-mail address in their Address Book actually has the malware on their computer.
Some Web sites actually harvest e-mail addresses from a computer, especially those that presume to share things with others or invite friends, and so on; or perhaps people who are members of those sites have ways to harvest e-mail addresses from their friends.

What to do:
Scan your system for malware. Two tools I might recommend are Malwarebites and Hijackthis. And since some malware might resurrect itself through a Registry entry, perhaps running CCleaner would be prudent as well. However, consider the risks of running a Registry cleaner.
Make sure your antivirus software is installed and is up to date with the current virus definitions.
Make sure your Windows OS is current with all security updates.
Be careful of (or avoid) some (or all) of those social Web sites, especially ones that share e-mail addresses.
If your computer is clean, and you’re certain you weren’t compromised at a social networking site, send an e-mail to all the people in your Address Book to give them a heads-up that someone in your e-mail circle might be compromised. I would suggest sending them one at a time or with a blind CC, however, since I advise people to never send mass e-mails — although we probably all do it from time to time in certain cases.

(Paul Mah, TechRepublic) What kind of security policies do you enforce on mobile devices and smartphones that employees bring into the office? Are unsecured mobile devices opening up a back door into your corporate network? A study conducted by Credant Technologies shows that the use of mobile phones or devices for work-related matters is on the upswing. In a manner, this is surely good news, since what it means is that workers are increasingly being able to maximize their time — especially since shipments of smartphones have been projected to continue increasing.

Some of the statistics from the survey are as follows:

• 35 percent receive and send business e-mail
• 30 percent use them as a business diary
• 17 percent download corporate information, such as documents and spreadsheets
• 23 percent store customer’s information

In all, 600 commuters were interviewed at London railway stations. Interestingly, while 99 percent use their personal phones for some sort of corporate use or other, a quarter of them have actually been asked by their employer not to do so. The reason for that is simple enough — the possibility of losing one’s mobile phones to theft or carelessness could open the way to devastating data leaks.

In addition, unlike laptops where stored information is usually limited to whatever is on the hard disk, mobile devices are increasingly equipped and configured to tap into storage repositories and databases inside the corporate network.

The use of unsecured mobile devices
What I thought to be of particular concern here is the fact that 40 percent surveyed in this random sample failed to protect their mobile phones with even a rudimentary password. Extrapolating from this lack of security consciousness, the contents of media cards itself are likely to be similarly unprotected. I would not be surprised if the percentages of users without password or encryption were similar elsewhere.[...]

Whatever the approach, a deliberate strategy needs to be put into place to eliminate the presence of unsecured mobile device’s ability to access the corporate network.

The absence of a mobile usage policy
While computer usage policies are common in organizations by now, the situation is different when it comes to policies pertaining to the usage of mobile devices. As it is, mobile usage policy needs to be in place and followed by the implementation of security controls. This is hardly as easy as it appears to be, since these controls have to span the entire organization hierarchy in order to be effective. In addition, loss remediation procedures need to be drawn up and made known.

(Stefanie Hoffman, ChannelWeb) The Conficker worm that has left a trail of destruction in its wake for the last six months is set for a new evolution April 1 that will enable it to stealthily launch a variety of malware attacks unbeknownst to the security community.

Security experts say that the new Conficker variant, which has infected at least 12 million users around the globe since its creation in October, will contain a new update mechanism that will allow it to communicate with its command and control centers to upload new marching orders and launch attacks at will.

Part of the new update will include a refreshed ability to dodge scrutiny from the security community, which has thus far been able to intercept communication between the worm and its domains. After April 1, however, the new Conficker variant will contain code that will prevent the security community from blocking updates.

"The Internet as we know it will still exist," said Paul Henry, security and forensic analyst for Lumension Security. "But what (the security community has) been doing will no longer work after April 1. There's great concern in the security community because they're no longer able to block the command and control communication of this botnet."

Like other renowned worms, Conficker relies on numerous attack vectors to self-replicate and spread, using such techniques as brute force password guessing to propagate throughout a network.

The latest and most sophisticated variant - Version C - of the Conficker worm, was renowned for infecting copious networks via peer-to-peer networks and USB drives. It also added numerous defensive measures designed to evade detection and removal by disabling Windows Automatic Updates and Windows Security Center. In addition, version C had the ability to block access to several security vendors' Web sites while rendering numerous antivirus products useless.

(Lisa Phifer, TechTarget) Spyware is no longer just a petty nuisance, clogging enterprise desktops and access links - it's also crimeware, driven by the desire for illicit profits. Gartner estimates that these financially motivated attacks will represent 70% of all network security incidents by 2010.

Winning the war against malicious spyware requires a layered defense applied at the desktop, server and network edge. Security professionals are already familiar with desktop antispyware programs, but consider also how unified threat management (UTM) appliances can help you defeat spyware at network and workgroup perimeters.

Here, there, everywhere
From pesky adware like ISTBar to stealthy attacks like Trojan-Backdoor-SecureMulti, spyware is now held responsible for one out of four help desk calls and half of the PC crashes reported to Microsoft. IDC estimates that more than 75% of corporate desktops get infected with spyware. According to antispyware vendor Webroot Software Inc., spyware-related downtime and cleanup costs corporations approximately $250 per user annually. Fighting spyware on the desktop requires new techniques and tools because not only has spyware evolved considerably in recent years, it also still behaves differently than viruses and worms. Many enterprise products (e.g., CA Inc.'s eTrust Pest Patrol, Lavasoft Ad-Aware Enterprise, Webroot Spy Sweeper Enterprise) focus exclusively on host spyware eradication. Antispyware programs are also being rolled into desktop security suites, such as Symantec Corp.'s Client Security, which combines host antivirus, antispyware, firewall and intrusion prevention. Microsoft has embedded basic antispyware defenses into its recently released Windows Vista operating system.

Network antispyware
In most companies, desktop antispyware simply isn't good enough. Employees connect infected laptops to the corporate network; desktop software breaks or becomes out of date; visitors, contractors and home workers don't run your chosen antispyware program. Protecting an entire network against spyware really requires a network-based product that can be easily controlled by IT.

UTM appliances complement desktop antispyware by enforcing spyware policies at the network edge. Most UTM appliances, from companies like Cisco Systems Inc., Crossbeam Systems Inc., Juniper Networks Inc., Fortinet Inc., WatchGuard Technologies Inc., SonicWall Inc., and Secure Computing Corp., among others, consolidate firewall, intrusion prevention and antivirus scanning, and may provide additional security services, including VPN, Web filtering, antispam and antispyware.

(Michael Kassner, TechRepublic) URL-shortening services such as TinyURL and Bit.ly are becoming popular attack vectors. You may not want to automatically click on the shortened URL after you read this.
Originally, the process of URL shortening was developed to avoid broken URLs in e-mail messages. The increased popularity of instant messaging (IM) and Twitter has escalated the use of URL-shortening services like TinyURL and Bit.ly, especially Twitter with its 140 characters per message limit.

How they work
TinyURL, Bit.ly, and other Web sites that offer URL shortening are similar in how they work. All that’s required is to:
   1. Go to the respective Web site.
   2. Copy/paste the actual URL into the appropriate field.
   3. Click on Shorten if you want the Web site to append a generic ending on the URL.
   4. If a custom URL is desired, enter your chosen ending and then click on Shorten.
Presto, you have a new shortened URL that has little meaning and isn’t visually related in any way to the official URL.

Potential phishing method
As with many applications that are helpful to normal law-abiding users, attackers and spammers tend to leverage that same usefulness for ill-gotten gain. URL-shortening services provide attackers and spammers with the following options:
   * Allow spammers to side step spam filters as domain names like TinyURL are automatically trusted.
   * Prevent educated users from checking for suspect URLs by obfuscating the actual Web-site URL.
   * Redirect users to phishing sites in order to capture sensitive personal information.
   * Redirect users to malicious sites loaded with drive-by droppers, just waiting to download malware.

As you can see, there are all sorts of opportunities for misuse, just because the victim has no idea where the shortened URL is pointing.

(Polly Schneider Traylor, TechRepublic) Web apps continue to grow in popularity, but companies have legitimate concerns about security and reliability. Here are some ways to address potential risks and make sure you choose the right vendor.

Web-based software and services have proven to be a trend with staying power. Combine flexibility, relatively low maintenance and fees, and rich functionality and it’s easy to add up the benefits. Software as a service (SaaS), in particular, is playing out pretty well in today’s economy, according to IDC, which predicts the sector will see a 36 to 40 percent growth in 2009.

Yet many organizations, especially at the enterprise level, worry about offloading corporate data to a third-party vendor. Will security risks increase? What happens when reliability begins to suffer? How can they access critical data/systems during an outage? These are valid questions, but many experts actually think that your data is safest with a credible third-party whose business in effect is (or should be) managing the security and reliability of data across many customers. After all, if a vendor screws up, it will lose revenue, customers, and market share in a heartbeat.

(Nick Lowe, Check Point) Remember the first time you drove a car on your own, and you’d get a kick from the sensation of sheer speed? Unfortunately, you also have to learn the mundane stuff like how to turn, stop and reverse safely. The same is true in organizations that deploy virtualization.

Compared with deploying physical servers and apps, virtualization is like driving a new sports car. It’s so easy to move quickly. But just like when you were learning to drive, you’ve got to find out how to do it safely. It’s easy to be seduced by the performance and ease of virtual machines (VMs), and overlook the more mundane aspects – like security.

Analyst Gartner predicted that in the coming year, 60% of VMs will be less secure than the equivalent physical servers. This makes VMs the target of choice for potential malware or hacking exploits. How do you go about narrowing the security gap between virtual and physical deployments, and what techniques will help mitigate the risks?

History lessons
The first step is to be realistic about the actual security risks to VMs. There’s a lot of theorising and discussion of potential risks, such as new types of malware that targets hypervisors, or other vulnerabilities. Certainly, malware attacks specifically targeting VMs will appear as usage continues to grow.

However, the more pressing and important issue is ensuring your virtual environment is designed and built as robustly as your physical network. Remember that we’ve all had to go through 15 years of painful experience in securing servers and data against constantly-evolving threats, and in developing robust network architectures to give the right security framework. It’s vital that this isn’t overlooked when deploying a virtualized environment. In fact, this hard-won security knowledge stands you in very good stead when it comes to securing the virtual world.

VM hygiene
This means going back to basics, and looking at which applications are being moved from physical servers to VMs – and to audit what VMs may already be in use in the organization. It’s easy to get carried away with the performance benefits, and overlook the fact that the applications running on the VMs need to be segregated – for example, a public e-commerce application (that may have sat in the organization's demilitarized zone) and an internal CRM system.

(Linda Tucci, Senior News Writer, SearchCIO-Midmarket) IT security typically has been deemed one of those services best provided in-house. But the stigma attached to outsourcing security and Security as a Service - namely that an outsider does not know your company well enough to protect it - may be falling away, as businesses look for more ways to cut costs.

Certainly, some heavy-hitter providers believe attitudes are changing. This month, McAfee Inc. announced its new SaaS Security Business Unit. Headed by former Hewlett-Packard Co. SaaS executive Marc Olesen, the unit will oversee all McAfee products delivered over the Internet, including security scanning services, Web and email security services and remote managed host-based security software and hardware.

Meanwhile, last April, IBM launched some hosted and managed services that it says help midsized businesses better manage risk and improve the security of their IT systems, all while offering cost savings over traditional products. "Indeed, much of IBM's security strategy during the next 24 months will focus on moving security technologies into the cloud and expanding its managed services offerings," said Jason Hilling, an enterprise services business line executive with IBM Internet Security Systems. That includes providing some hosted implementations of technologies that once were located only at the customer premises.

"Because the economy is struggling, I think there will be enough excitement in the marketplace over the cost benefits of Security as a Service that we are going to see a much higher degree of willingness to look at it as a real viable option," Hilling said.

Hilling contended that a midmarket company with between 500 and 700 employees can realize costs savings from 35% to upwards of 60% by doing security as a managed service. Savings diminish as the deployment gets larger and more complicated, and the costs of managed services escalate.

Yet outsourcing security is not just about cost. "The world is becoming very hostile," said Sadik Al-Abdulla, solutions manager of security at CDW Corp.

"We have seen a substantial uptick in security incidents over the last two quarters, and even the automated attacks are going after data," said Al-Abdulla, who oversees CDW's advanced security practice, which has a strong midmarket bent (typically for companies with 1,000 to 2,500 users). "Maybe I am biased because I am in the security business, but I honestly believe that a single person can't keep up. I think a team of people who only do security can. So the question for the CIO becomes, do I hire a team or a company? There are reasons to answer that question both ways."

2009 is expected to bring a continuing increase in the amount of malware, as Panda Security research shows that during the first half of 2008 as many malware strains (viruses, worms, Trojans etc.) in circulation as in the previous 17 years combined have been detected, and this trend is expected to continue, if not grow, throughout this year.

What else is to be expected?

1. Banker Trojans and fake antiviruses will be the most prevalent malware types in 2009. Banker Trojans are designed to steal login passwords for banking services, account numbers, etc, while fake antiviruses try to pass themselves off as real antivirus products to convince targeted users they have been infected by malicious codes. Victims are then prompted to buy the rogue antivirus to remove these bogus infections. Cyber-crooks are currently profiting substantially from this type of fraud.
2. A significant proliferation of malware targeting new platforms such as Mac OS Leopard X. Linux or iPhone. The number of malware strains created for Mac or Linux platforms will grow in 2009, although they will still represent a very low percentage compared to the total number of threats.
3. The financial crisis will also bring an increase in malware related to stock markets and false job offers. Over the last few months of 2008, research has been conducted showing a clear correlation between the financial crisis and malware strategies: every stock market drop is followed by a spike in the amount of malware in circulation and the increase in the unemployment rate translates into a boom in false job offers aimed at recruiting money mules. According to the PandaLabs forecasts, this will repeat in 2009. Fake job offers will continue to grow whenever the unemployment rate goes up.

(TechNewsWorld) Malicious computer hackers will utilize better technological and psychological techniques in the year ahead, according to a security report from equipment vendor Cisco. Targeted attacks, cross-vector attacks and a rise in threats originating from legit domains are the report's most concerning trends.

As malware writers and Internet attackers become more sophisticated, 2009 looks to be a year of more focused attacks by profit-driven criminals bent on stealing data from businesses, employees and consumers.

Networking firm Cisco released its annual Threat Report Monday, citing a nearly 12 percent increase in the number of disclosed vulnerabilities over 2007 and a tripling of vulnerabilities in virtualization.

Targeted attacks and blended, cross-vector assaults, along with a 90 percent growth in threats originating from legitimate domains, top this year's list of the most worrisome new trends plaguing computer users, according to the report.

Attackers are changing tactics, leaving infected attachments behind for more specialized methods. Malware volume propagated via e-mail attachments declined by 50 percent from the previous two years (2005-2006), noted Cisco researchers.

(Convince & Convert) Which of These Email Marketing Stats Scare You Most?
1. 21% of email recipients report email as Spam, even if they know it isn’t
2. 43% of email recipients click the Spam button based on the email “from” name or email address
3. 69% of email recipients report email as Spam based solely on the subject line
4. 35% of email recipients open email based on the subject line alone
5. IP addresses appearing on just one of the 12 major blacklists had email deliverability 25 points below those not listed on any blacklists
6. Email lists with 10% or more unknown users get only 44% of their email delivered by ISPs
7. 17% of Americans create a new email address every 6 months

...and this can lead to security breaches and data loss!

(Softpedia.com) GFT inboxx, a British company specialized in archiving solutions, performed a survey which returned alarming results – over fifty percent of the questioned employees responded that either they didn't have any email policies at work or they didn't have knowledge of them.

The majority of respondents indicated that they had learned on their own that their company implemented security enforcements or some policies regarding email storage. Hereby, over two thirds of the respondents said that they had not been instructed in archiving their electronic mail, or advised on what they should keep after reading and what they should delete.

Click "full article" below to get all the info on this!