You are not logged in to TechRepublic | Log in | Get a free membership

TechRepublic: Real World. Real Time. Real IT.
  • My Workspace
  • My Discussions
  • My Tech Q&A
  • My Contacts
  • My Blog
  • My Links
  • Downloads
  • Discussions
  • Tech Q&A
  • News
  • Blogs
  • People
  • White Papers
  • Newsletters
  • Books & CDs
  • TechProGuild
Home : Networking & Communications : Article
Close this window
Sign up for your free TechRepublic membership
Join over 4 million IT professionals who depend on TechRepublic to get their jobs done.
Your Free membership gives you instant access to more than:
  • 10,000 articles: Field-tested how-to's from in-the-trenches IT pros
  • 50,000 white papers: Decision-support resources for IT managers and CIOs
  • 1,200 Downloads: Powerful tools to simplify IT operations
  • 127,000 technical Q&A and discussions: Highly engaged IT peer community
  • 40 newsletters: Timely and focused e-mails on a variety of IT topics

Signing up is quick and easy, so join now!

E-mail address:
  Already a member?
Hide


Hide
Join your peers at TechRepublic for access to these great newsletters  »IT Locksmith  »Network Security  »Security Solutions

New IE flaw even affects XP SP2 and FBI/CSI releases 2004 cybercrime report


by  John McCormick  |  More from John McCormick  |  Published: 8/30/04
Keywords:  Security | Web browsers
Rating:  4.1 (out of 5) Rate it   Comments:  7  |  0 NEW  |  View all
Save to my Workspace
Takeaway:
This week's Locksmith reports on a new vulnerability in Internet Explorer and gleans the important details from the 2004 FBI/CSI cybercrime report.

advertisement

The annual FBI computer crime report is out and it reports that attacks and costs are down as well as that insiders are becoming the biggest threat. The other important development this week is that some new IE vulnerabilities have been discovered, and these flaws even affect systems that have applied the new Windows XP Service Pack 2.

FBI/CSI 2004 cybercrime report

For the past nine years the FBI and the Computer Security Institute have compiled cybercrime statistics. These statistics provide a good benchmark to compare the year-to-year changes in the kind of threats administrators need to focus on. To get the 2004 report, you have to go to the CSI Web site and enter some registration information in order to receive the document as a PDF download.

The 2004 report concludes that both “the unauthorized use of computer systems” and the “annual financial loss resulting from security breaches” have declined, with a shift in the biggest problems being toward denial of service attacks. If true, that should come as a bit of a relief to many harried administrators.

The 486 reporting administrators come from a good mix of employee sizes in private sector and government agencies, with most of the respondents in the private sector. Thus, the information in this report should be useful for most IT departments.

There are also useful reports on the amount of money spent on security by various organizations. Many administrators and IT manager might want to use those numbers to help gauge the reasonableness of security-focused budget requests.

In my opinion, some of the most significant findings in the report include:

  • Viruses and insider abuse of Web access are the biggest threats cited in the report.
  • One very bright spot in the report was that, among the responding organizations, 99 percent had antivirus software and 98 percent had firewalls.
  • Other numbers indicate that data encryption isn’t used nearly as often as would be expected, which isn’t comforting.
  • Another worrisome trend I gleaned from the reports was that, by far, medical-related companies spend the least on security. That may change when the recent laws and regulations regarding privacy of medical records are more fully implemented.
  • Most companies don’t have cybersecurity insurance, something I suspect will change in the future.
  • Per-employee security costs are highest for small businesses and smallest for very large companies. Although that is predictable, it is still important to realize.

Latest IE problems

A new Internet Explorer vulnerability has been discovered and it apparently hasn’t been fixed by Windows XP SP2. Secunia rates the flaw as highly critical.

The threat relates to the way Windows handles drag-and-drop operations and can allow a malicious Web site to cause arbitrary code to be inserted into the Startup folder of a Windows machine. Secunia speculates that this vulnerability could also be configured to work from a simple click of a button rather than requiring a drag-and-drop.

This was originally reported by http-equiv, which also posted a proof-of-concept demonstration (and that is why I’m not providing a link). The vulnerability is also related to an old cross-site scripting error that has been addressed by Microsoft.

Applicability

This affects Internet Explorer 5.01, 5.5 and 6.0. As mentioned above it even affects Windows XP systems with SP2 installed.

Risk level – High to Extreme

Secunia appears to rate threats based on the amount of damage they could cause and, unlike Microsoft, doesn’t factor in the likelihood that they will be exploited. That is why this flaw is so highly rated. Also, there are no mitigating factors.

Fix

Turn off IE's Active Scripting.

Final word

I believe a lot of the numbers in the 2004 CSI/FBI Computer Crime Report are on target, mainly because companies will respond to the survey even if they fail to report crimes to the police. However, I have some serious questions about the claim that intrusions are down. I suspect that, since the report mostly looks at occurrences in 2003 or even earlier, next year’s report may be a little different after all the serious attacks we’ve seen lately. Although the individual responders aren’t identified, I feel many of them are shading the numbers a bit and there simply isn’t any way to determine that except by looking at how quickly worms and other malware spread. Much of the problem relates to unprotected home systems on broadband connections, but I see a lot of reports from businesses that experience penetrations and other forms of attack on a regular basis.

Also, although the survey has collected data from a lot of businesses, that doesn’t mean it covers the numbers of employees in the same proportion. It's easy to forget that many more people in the U.S. work for small businesses with fewer than 20 employees than work for large corporations. That can easily skew the results in this report because those small businesses also have the fewest security resources. In fact, I would actually classify many of the small businesses that I work with as equivalent to home users when it comes to security.

Also watch for …

  • Cisco IOS 12.0S, 12.2 and 12.3 have an OSPF protocol DoS vulnerability (there's no risk if you don’t have OSPF enabled). This was reported by Cisco and if your systems are affected, you should definitely get the patch.
  • Netscape and Mozilla have a SOAP vulnerability in Netscape versions 7.0 and 7.1 and Mozilla version 1.6. Mozilla version 1.7.1 is immune. See CAN-2004-0722. The exploit was reported to Netscape in March and the patch was inserted in the Mozilla source tree in July.
  • Opera version 7.53 (and earlier) on Windows, Linux, and Macintosh can let attackers locate files and directories on your system. Update to version 7.54 or newer to fix this problem, which was discovered and reported by GreyMagic.
  • Several big players have agreed to adopt Microsoft’s Sender ID system that identifies e-mail origins. This looks like the best option we currently have to reduce phishing and kill off a big source of spam. Sender ID will end the use of spoofed addresses but may not do much to stop hijacked systems from forwarding malware attacks to addresses harvested from PCs. Yahoo is working on its own system called DomainKeys, based on encryption. However, Sender ID actually maps the supposed originating domain. Neither is a total solution but both could be potent new weapons in the fight against Spam.
Page:  1
Article tools:   Print Article E-mail Article Rate Article Discuss Article Add to my TR Links

Comments on this article
Is it possible?
js_2000  |  08/31/04
Windows is more than an OS...
dinotech 5K+ TechPoints  |  09/01/04
That makes a lot more sense
HAL 9000 50K+ TechPoints  |  09/08/04
With IE, anything is possible
panther8  |  09/27/04
Did you find any surprises in the FBI/CSI report?
Jason Hiner 50K+ TechPoints  |  09/01/04
Poor Planning by the Great MICROSOFT
vishnu_eb  |  09/27/04
Just think what Longhorn is going to be like
HAL 9000 50K+ TechPoints  |  09/27/04
View all comments  |  Add your comment

White Papers

  • Webcast: Is an SSL VPN Right for You? Aventail
  • Complying with SEC and NASD Regulations MessageLabs
  • Network World Special Report on VoIP ShoreTel
  • Spyware: Best Practices For Fighting An Emerging Security Threat - A Forrester Webcast brought to you by Sophos Sophos
  • Johns Hopkins Bloomberg School of Public Health: Discover how a Leading Public Health Authority Adopted a Security Enhancing Remote-Access Solution Citrix Online
  • Data Integration for Supply Chain Management (SCM) Attunity
Attention!
Important Lunch and Learn topic today!

15 ready—to—deliver lunch and learn presentations on ONE CD-ROM! Teach your staff the essentials for Security, HTML, Excel, Viruses, E-Mail ettiquette and MORE!
Lunch and Learn Series 2006

Free e-mail courses

Sign up today to begin receiving a limited series of e-mails on topics important to IT pros. Each series also includes a comprehensive list of resources, including free TechRepublic downloads, to help you apply what you learn.

For details, see TechRepublic's free e-mail courses.

advertisement
All Downloads  | Help | Content Services  |  How to Advertise  | RSS Feeds xml

Resources

Downloads | Discussions | Technical Q & A | White Papers | Newsletters | Books & CDs | TechProGuild

Topic Centers

Security | Networking & Communications | CIO & IT Management | Desktops, Laptops & OS | Data Management | Servers | Career Development | Software/Web Development | Storage | Enterprise Applications

Featured Services

Webcast | Business White Papers
BNET | CNET.com | CNET Channel | CNET Download.com | CNET News.com | CNET Reviews | CNET Shopper.com
GameSpot | International Media | MP3.com | mySimon | Release 1.0 | Search.com | TechRepublic | TV.com | Webshots | ZDNet
About CNET Networks | Jobs
Copyright ©2005 CNET Networks, Inc. All Rights Reserved. Privacy Policy | Terms of Use
  • Dedicated Hosting
  • When looking to develop your sites e-commerce capabilities you must decide between in house servers and managed hosting options.
    Read More
  • Many organizations struggle to select the most appropriate dedicated Web hosting provider for their needs. Learn the questions you need to ask of prospective vendors, before selecting a host.
    Read More
  • Deliver Business Value with Managed Hosting
    Receive valuable insight into managed hosting, featuring an exclusive interview with Gartner analyst, Ted Chamberlain.
    Read More
  • New To Managed Hosting?
    Read our Whitepaper to learn more about managed hosting best practices and emerging trends.
    Learn More
  • Sponsored By Rackspace