By Spencer E. Ante Despite increasing public and corporate awareness about cybersecurity, the number of computer vulnerabilities in the second quarter of 2005 increased 10.8% compared with the first quarter, according to a new survey from the SANS Institute, which develops data and research on information security.
In all, SANS discovered 422 new vulnerabilities, up from 381 in the first quarter. The good news? Patches exist for all of the new security holes and can be found from the Web sites of the software makers named in the survey.
"SINS OF THE PAST." A quarter-over-quarter increase in itself isn't that surprising. Hackers are constantly developing new strategies and tactics to breach computer security systems. The new trojan horses are digital-media players such as the popular Apple iTunes program or the RealPlayer application from RealNetworks. Cybersecurity experts also report a marked increase in attacks on computer backup systems that often hold sensitive data such as e-mails and financial information.
So why are vulnerabilities on the rise if corporations and individuals spend more time and money plugging computer security holes? Security flaws continue to persist primarily because commercial software vendors rush products to market that are not fully protected, say experts. "We are deploying flaws much faster than we are deploying fixes," says Ed Skoudis, a cyber-security expert and author of Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses. "There is a rush to get out new functionality quickly."
Since Microsoft released its Windows XP Service Pack 2 last August, many computer users have shored up security of the Windows operating system. However, Microsoft's Internet Explorer remains vulnerable, say experts. One major reason: Software applications such as Internet Explorer contain code that is 5 to 10 years old, when security was less of a priority for software makers. "We are paying for the sins of the past," says Gerhard Eschelbeck, chief technology officer of Qualys, a computer security firm based in Redwood Shores, Calif.
TROJAN TUNES. Due to the increasing popularity of digital media, hackers have increasingly targeted those applications. One typical tactic is to embed a virus or other type of malicious code into an audio file. The result: People unwittingly download music or video from a Web site or a file-sharing application, and their computer is infected.
"The bad guy creates evil media and waits for users to take the bait," says Skoudis. "It is completely invisible to the victim. It's a pretty interesting and dramatic shift we've seen in the last year."
The other emerging new hole is with corporate backup systems. In an electronic version of a sleeper cell, hackers can use viruses on PCs to launch an attack on an internal corporate backup system. Or they often slip through vulnerabilities in wireless networks to wreak havoc. "I've been involved in cases where hundreds of thousands of credit cards have been stolen via wireless," says Skoudis.
KEEP PATCHING. So what's the best way to protect yourself or your company? It may seem obvious, but security experts say the best way to guard against the latest attacks is to constantly use firewalls, anti-spyware, and antivirus software, plus continually download the security patches from software makers. "You have to make sure your automatic updating processes are enabled," says Eschelbeck.
Also, never open suspicious e-mails or attachments, or provide personal information to people whom you don't know. When it comes to security, vigilance is the key. Ante is Computer editors for BusinessWeek