Diverse platforms and technologies widen opportunities for attack
Once, almost everyone ran Windows. Attackers attacked Windows. Defenders defended Windows. Those days are gone.
In 2012 we saw plenty of Windows-specific holes and vulnerabilities. For instance, the Windows Sidebar and Gadgets in Windows Vista and Windows 7 were revealed to be so insecure that Microsoft immediately eliminated them, and gave customers tools to disable them.
Windows Sidebar had hosted mini-programs (gadgets) such as news, stocks, and weather reports. Together, these were Microsoft’s answer to Apple’s popular Dashboard and Widgets. However, security researchers Mickey Shkatov and Toby Kohlenberg announced that they could demonstrate multiple attack vectors against gadgets, show how to create malicious gadgets, and identify flaws in published gadgets. Already planning a new approach to these miniature applications in Windows 8, Microsoft dropped Sidebar and Gadgets like a rock.
While most computer users still work with Windows, far more development now takes place elsewhere—on the web and mobile platforms. This means companies and individual users must worry about security risks in new and untraditional environments such as Android.
Here is a sampling of security breaches in 2012, offering a taste of what we all must deal with—and why our defenses must become increasingly layered, proactive and comprehensive.
- In February 2012, a hacker identified cross-site scripting (XSS) holes in 25 UK online stores that had been certified as safe by VeriSign, Visa, or MasterCard. Criminals can exploit XSS flaws to steal authentication credentials or customer billing information, placing customers at risk of identity theft. The holes arose from a common source: a poorly written script for filtering user searches. It’s another reminder to users that security isn’t just a matter of words and icons. Simply seeing https://, a padlock, or a VeriSign Trusted logo doesn’t mean you can get careless online. And it’s a huge reminder to web professionals to keep all their applications and scripts up to date, including scripts made publicly available by other authors.
- Thousands of self-hosted WordPress sites were hosting the dangerous Blackhole malware attack. In August 2012, Sophos discovered a major malware campaign which attempts to infect computers using the notorious Blackhole exploit kit. Users receive “order verification” emails containing links to legitimate WordPress blogs that have been poisoned to download malware. Users of the hosted WordPress.com service aren’t vulnerable: the service provider, Automattic, looks after the security of the WordPress.com servers for them.
- Hackers have been demonstrating at least theoretical attacks against everything from transit fare cards to the newest near field communication (NFC) enabled smartphones.
< Back Next >