Security blues Monday

Mondays are usually quiet news days but this week it’s definitely ‘bad news day’ with a number of stories highlighting security issues. You can never be sure that it’s because there are more security glitches happening these days or because we are being more open about them.

The first was an announcement by European Commission (EC) following a phishing attack which allowed cyber criminals to steal account data, and perform a number of fraudulent transactions. Individual emails were sent to users of the ETS registries which redirected to a phony log-in site to harvest the account details. This has forced the EC is to rethink its data security practices in the wake of a recent attack on its web-based Emissions Trading System (ETS). The ETS allows companies to trade carbon offsets in an attempt to manage and reduce emissions among member states.

Microsoft is planning a major ‘Patch Tuesday’ release this week, with 13 updates for a total of 26 vulnerabilities. Microsoft, urged users to update their systems as soon as the patches are released in order to avoid recurrent problems.

The company said that it will issue fixes for Windows 2000, XP, Vista and Windows 7, as well as Server 2003 and 2008, Office XP, Office 2003 and Office 2004 for Mac. However, affected items include Windows XP Service Pack 2 and extended support for Windows 2000, both of which will be retired on 13 July.

Apple has not escaped either. A security researcher presenting at the Black Hat security conference in Washington DC has suggested that major flaws exist in the iPhone.

Researcher Nicolas Seriot said that Apple was leaving major holes in its software that could possibly allow attackers and malware developers to craft applications that steal user data such as recent calls and locations.

To remedy the situation, Seriot suggested that along with acknowledging flaws, Apple implement better protection of the iPhone's cache files and develop an outbound firewall to block transmission of potentially stolen data. For users, Seriot suggested keeping a close eye on what they install on their iPhones, even third party software which comes from Apple's own App Store service.

David Litchfield, chief research scientist of NGSSoftware, a UK-based computer security company has uncovered what he says are flaws in widely used software from Oracle Corp that could let hackers remotely access sensitive information in corporate and government databases.

He claims that a bug in the design of the Oracle database could allow hackers to break into private databases via the Internet by allowing an attacker without a user ID and password to take complete control and that all firewalls become irrelevant in the process.

Litchfield said that he warned Oracle of the problem in November, hoping that the company would fix the flaw when it issued a group of quarterly security patches in January and that he decided to go public because Oracle failed to do so. He believes about nine out of every ten Oracle databases are vulnerable to attack.

And finally, according to a report from Websense, Internet users are being lulled into a false sense of security by search results, and may click on links that are popular but infected with malware.

It appears that malware writers upped their efforts to get noticed late last year, and are manipulating search results to drive traffic in their direction. Almost 14 percent of searches for current ‘buzz words’, such as celebrities or current events, lead to malware sites or links, the report said.

The growth in spam has much to do with the number of email accounts being stolen, and their details posted online, according to the report. Websense said that tens of thousands of Hotmail, Gmail and Yahoo accounts had been hacked in this way.

After reading all that news one could be forgiven for shutting down for the day and going back to bed. Surely security across the ICT world will become this year’s hot item. It is also an area that the TM Forum is examining closely in a number of initiatives.