SQL injection attacks
It's an old-school method of attack, but hackers have figured out that if it's easy and profitable, keep doing it. SQL injection reared its ugly head into the news in May. Researchers said they tracked a massive wave of SQL injection attacks that find coding errors in websites and then use those sites to infect visitor's PCs with malware. The attacks seem to have originated in China, and today millions of Web pages are infected. Experts say automated scanning and infecting tools have made it simple for less technically savvy hackers to exploit SQL injection vulnerabilities. Even legitimate websites are not immune. The problem is so pervasive that Microsoft has stepped in to try to limit the threat. The software giant issued a security advisory in June, outlining some tools available to improve Web-based software coding and discover holes in websites. Experts are warning that the threat will continue in 2009.
Hannaford Brothers supermarket breach
Hannaford Brothers Co. disclosed a massive data breach on March 17. They later told state and federal investigators that someone managed to place malware onto servers at all of Hannaford's nearly 300 grocery stores. The software ran in the background between Dec. 7 and Mar. 10, stealing up to 4.2 million credit and debit card numbers from the supermarket's payment systems. Despite at one time being compliant with the PCI Data Security Standard (PCI DSS), experts say the company did not have enough protection in place for data in motion during a credit card transaction. Hannaford announced plans to bolster encryption and conduct 24-hour network monitoring.
He's got a style all his own, but Dan Kaminsky was doing more than just handing out his grandmother's cookies in July. Kaminsky would not be ignored when he loudly sounded the alarm about a major domain name system server flaw that affected dozens of vendors. A coordinated release of patches soon followed. But in an interview for Security Wire Weekly, Kaminsky admitted a mistake. The security researcher kept the details a complete secret, failing to let anyone validate his research. Kaminsky eventually shared the data with Thomas Ptacek and the team at Matasano Security LLC. "This is a serious problem; it merits immediate attention, and the extra attention it's receiving today may increase the threat. The Internet needs to patch this problem ASAP," Ptacek said. The security community pressed on and in days noted reverse engineer Halvar Flake correctly guessed the details. Flake hypothesized on his blog about how an attacker could conduct DNS cache poisoning by overloading the server with requests until a legitimate answer is received. Shortly after, H.D. Moore released the exploit for the vulnerability via his Metasploit Framework. After giving out his grandmother's cookies at the Black Hat conference, Kaminsky shed light on how he discovered the DNS cache poisoning flaw and what needs to be done to bolster the security of DNS.
Microsoft Vista adoption issues
We wrote a lot about the bolstered security in Microsoft Windows Vista, but for all the security features, end users haven't shown any excitement using the fledgling operating system. In February a survey of IT administrators showed little enthusiasm for the release of Vista Service Pack 1. Some IT administrators complained of configuration issues, others said they experienced driver and reboot problems. Ultimately the consensus was the service pack fell far short of what's needed for wider deployments. To make matters worse for Microsoft, several researchers demonstrated ways to poke holes in Vista's strengthened armor. At the Black Hat briefings in August, Mark Dowd and Alexander Sotirov demonstrated the new methods they found to get around Vista protections. The researchers used techniques, such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers. Then Ben Hawkes, a New Zealand-based independent security researcher, explained how to conduct attacks against the Vista heap allocator. So far Microsoft has been on a campaign to improve Vista's image among consumers, but we'll wait and see if they make any inroads with IT professionals or if Windows 7 will be the answer for many IT shops.
Slowing the spam surge
Spammers took a big hit in 2008, albeit very briefly. First, ICANN decided to de-accredit EstDomains, an ISP notorious in the security community for serving as a haven for malware authors and spammers. Then the upstream providers for McColo Corp. killed their connections to the hosting provider, which has been known in security circles as another home base for malware and spammers, as well as alleged child pornographers. The shutdown had an immediate impact on the Srizbi botnet, which was responsible for 50% of all spam globally. The result was a temporary reduction in overall spam volume. But experts correctly warned that the shutdown wouldn't stop spam or the spread of malware. MessageLabs, a managed messaging security services provider that tracks spam, phishing and Web-based attacks, said the annual average spam rate was 81.2% in 2008, a decline of 3.4% from a year ago. Recent reports from other vendors show that spam is returning to its earlier levels. Srizbi was designed to stay active and is quickly finding alternative hosting.
Other stories of note: