In Brief

Database and Imsecure vulnerabilities, search software flaw enables sophisticated phishing attack

Database Controls to Defeat Insiders

Despite the specter of hackers—so often seen as independent, outside agents—various security surveys point to management’s fear of, and the often greater damages resulting from, insider attacks.

“Today, the vast majority of breaches, and often the most costly, are those that occur within an organization’s internal network,” notes Akio Sakamoto, president and CEO of IPLocks.

Inside and outside attackers often gun for the same thing: the corporate database, where a company’s most valuable intellectual property or information lives. A record of recent database break-ins includes such names as the University of California, Berkeley (1.4 million database records stolen); BJ’s Wholesale Club (thousands of credit card numbers stolen); clothing-maker Guess; and Tower Records.

What many organizations overlook is dedicated security for the database. “Ongoing security management of the database layer provides many benefits to ensure authorized access to, and the integrity of, business-critical systems, and information assets,” notes META Group analyst Paul Proctor. Database security controls can monitor database access and maintain before-and-after views of data, all of which can also be used to meet regulatory requirements.

Proctor predicts an increase in the use of “strong information security controls” for databases, especially in organizations relying upon contractors, or with networks tied into customers and partners.

Related Article:

Q&A: Real-Time Database Monitors May Ease Regulatory Headaches

- - -

Attack Ups Phishing Trickery

A new phishing attack targets Citibank Australia, and SunTrust Bank, using vulnerabilities in those organizations’ Web sites to render an authentic URL above phisher-created content.

Phishing attacks are on the rise, currently comprising eight percent of all spam, a 1,200 percent increase from January 2004, according to e-mail and Web filtering provider SurfControl. Even so, “this is definitely one of the most sophisticated phishing techniques we have ever seen,” says Susan Larson, SurfControl’s vice president of global content. “Up until now, an informed computer user stood a chance or being able to identify a suspicious URL if they were wary.”

This particular attack is made possible by a vulnerability relating to “a flaw in the search script for the banking sites,” says SurfControl. The end result is attackers, using e-mail with attached JavaScript, can render a Web page in a user’s browser which not only mimics the look of both the Citibank Australia and SunTrust Bank Web sites, but which appears to have an authentic URL.

To help organizations protect their employees from phishing, SurfControl recommends they educate users to never volunteer confidential information in response to an unsolicited e-mail, and to never follow any link found in an unsolicited e-mail. It also recommends organizations create a clear Web content acceptable-use policy—guidelines on what is permitted in the workplace, ensure all antivirus and operating system patches are up to date, and track spam outbreaks, in case additional defenses are required.

- - -

IMsecure Vulnerability

A vulnerability exists in IMsecure and IMsecure Pro from Zone Labs (a Check Point company), reports Kurczaba Associates.

Security information provider Secunia says this “less critical” vulnerability is due to “a canonicalization error in the Active Link filter, which blocks URLs in IM messages.” As a result of the vulnerability, a specially crafted link can bypass IMsecure’s filtering, resulting in URLs appearing in instant messages.

Zone Labs notes “this link could be malicious and therefore present increased risk to the end user.” It released IMsecure 1.5 to fix the vulnerability.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.