Security Watch

A Flood of Fixes in April

This month is among the busiest, with patches coming from Microsoft, Adobe and others. Plus: Black Hat Tech Con tackles Web-originated attacks; looking for motives in the cyberspying world.

• By Jabulani Leffall
• 04/12/2010

Patchwork is becoming a way of life for Windows IT pros, in that security patches are increasingly requiring more guess work and actual work spent downloading and installing myriad hotfixes.

By the end of this week, Redmond will have rolled out 29 patches, with the number of total vulnerabilities thus far flirting with 50. And we've only been through the first quarter of the year.

To that end, IT pros can certainly expect one whopper of an April patch from Microsoft and other vendors. On Tuesday, the company expects to release 11 fixes that will address some 25 vulnerabilities. If you're an IT pro that can't get enough of surprises, Tuesday also marks Adobe Systems' scheduled security updates for Reader and Acrobat. Adobe released its advanced notification, but didn't offer details on issues or fixes.

Adobe's patches bear watching as Belgian researcher Didier Stevens recently came out with proofs of concept dealing with multistage hacks using PDF files. Stevens' supposition is that a sophisticated hacker could successfully exploit a fully patched Adobe Reader.

Such news is leading some to say that it's going to be a busy Tuesday.

"As with any patch Tuesday, keep an eye out for other vendors who join in on this patch release day," said Jason Miller, data and security team manager, Shavlik Technologies.

Miller and others are also keeping a close eye on an anticipated security update for Java 5. It's looking more and more like Windows IT professionals will have to clear their dance cards on Tuesday to tango with more and more patches coming from more vendors as the number of application, network and Web component bugs grow.

Black Hat Tackles Web Hacking
Internet threats will dominate this week's discussions at the Black Hat Technical Conference in Barcelona, Spain. Max Kelly, Facebook chief security officer, will deliver the Wednesday keynote speech.

Among the topics at the tech-con are attacks on Web applications, malicious streaming, cross-site scripting, protecting wireless networks and the rise of cybercrime and warfare, which has dominated the news lately. On the latter subject, security experts will be trying to differentiate warfare and espionage and also demystify the all-hacks-come-from China myth.

The truth of the matter, as a report from security researchers, "Shadows in the Cloud," suggests, is that security pros need to start thinking less about threats and more about classes of hackers. In other words, it's important to know about malware, remote code execution and spoofing, but it's more critical to understand motive. What percentage of hackers are in it for the money, just having fun, looking to steal critical information, or are trying to terrorize and shut down the Web via logic bombs and other mischief. Understanding motive can help IT administrators in the public and private sectors create a more comprehensive IT security program that is more preventative than detective, more proactive than reactive.

In the words of the report: "The ecosystem of (cyber)crime and espionage is also emerging because of opportunism on the part of actors."

The reports authors aren't talking about thespians who memorize lines to convey a narrative but actors in the hacking space who use different means to achieve different ends. The loftier the end, the more sophisticated the means are likely to be.

In this context all the world's a stage – as in the staging ground for attacks via the Web.

Report: Security Pros Want Federal IT Security Standards
Speaking with me last week about the rise of Internet-borne cyber espionage, security expert Andrew Storms said, "If you can collect enough smart people backed by enough government money, anything you can dream about is within the realm of possibility."

That's a scary thought: government sponsored cyber hacking. But what about government-sponsored IT security legislation?

Well, Storms' company nCircle is releasing a survey indicating that many SecAdmin pros would like to see the U.S. government step in domestically to tame the wild world of security regulations.

According to nCircle's survey, 70 percent of IT security professionals believe that the federal government should pass data breach and data privacy legislation.

Other tidbits among the findings:

• An astounding 76 percent think the public sector is not doing an adequate job of keeping personal and business data secure.
• A paltry 22 percent believe the level of cyber-security investment in the private sector in the U.S. is sufficient given the emerging risk environment.

"Security professionals know that allowing private industry to 'self-regulate' on security issues hasn't worked so far, and it's unlikely to improve without some external stimulus," said nCircle Chief Executive Abe Kleinfeld in an e-mail statement. "That's where regulation comes in."