turbotodd 100000388Y Visits (3771)
Earlier this week, IBM released results from its X-Force 2009 Mid-Year Trend and Risk report.
IBM’s X-Force research team spends its days cataloguing, analyzing, and researching vulnerability disclosures and has been doing so for 12 plus years.
With now more than 43,000 vulnerabilities catalogued, it has the largest vulnerability database in the world, which helps our researchers to understand the dynamics that make up vulnerability discovery and disclosure.
This year’s results reveal an unprecedented state of Web insecurity.
According to the findings, there has been a 508 percent increase in the number of new malicious Web links discovered in the first half of 2009.
Yet this problem is no longer limited to malicious domains or untrusted Web sites. The X-Force report notes an increase in the presence of malicious content on trusted sites, including popular search engines, blogs, bulletin boards, personal Web sites, online magazines, and mainstream news sites.
This year, the report also reveals that the level of veiled Web exploits, especially PDF files, are at an all time high, indicating that hackers have continued to increase their sophistication. PDF vulnerabilities disclosed in the first half of 2009 surpassed disclosures from all of 2008.
It’s not to make you want to print out all those PDF white papers, huh?
Then again, maybe not.
X-Force director Kris Lamb had this to say about the current state of Web (in)security:
"The trends highlighted by the report seem to indicate that the Internet has finally taken on the characteristics of the Wild West where no one is to be trusted.”
“There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We've reached a tipping point where every Web site should be viewed as suspicious and every user is at risk. The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity."
As we’ve seen in recent news, however, Web security isn’t just a matter of browser or client-side issues any longer. Criminals are leveraging insecure Web applications to target the users of legitimate Web sites. In fact, the X-Force report found a significant rise in Web application attacks with the intent to steal and manipulate data to take command and control of infected computers.
Take alleged credit card hacker Albert Gonzalez, recently indicted on conspiracy charges for stealing 130 million credit card numbers in the largest credit-card heist on record.
Gonzalez is said to have used SQL injection attacks to “inject” malicious code onto legitimate Websites for the purpose of later extracting credit card information and other personal information. Similar SQL injection attacks rose 50 percent from Q4 2008 to Q1 2009, and then doubled from Q1 to Q2 of this year.
Other midyear X-Force report key findings:
Concluded Lamb, "Two of the major themes for the first half of 2009 are the increase in sites hosting malware and the doubling of obfuscated Web attacks. The trends seem to reveal a fundamental security weakness in the Web ecosystem where interoperability between browsers, plugins, content and server applications dramatically increase the complexity and risk.”
“Criminals are taking advantage of the fact that there is no such thing as a safe browsing environment and are leveraging insecure Web applications to target legitimate Web site users."
For more security trends and predictions from IBM, including graphical representations of security statistics, download the 2009 IBM X-Force Mid-Year Trend and Risk Report today.