Tech

The A to Z of security

Got the Love Bug? Scared of spyware? Read all about what's keeping techies awake at night...

Written by Natasha Lomas, Contributor Nov. 14, 2006 at 4:30 a.m. PT

Got the Love Bug? Scared of spyware? Read all about what's keeping techies awake at night...

Be afraid. Threats to corporate security are everywhere. Just when you thought your network was safe from hackers, along came wi-fi - or your iPod-wielding workforce - and opened a whole new can of worms.

Security is by its nature ever-evolving. Just as one threat is apparently locked down, another springs up to take its place - or an old one rears its head in a new form. Grappling with this malicious hydra it's no wonder the security space spawns new terms and phrases at a rate of knots - and you're supposed to keep up with them all.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

And while the rise of the net has opened many doors, it has also kicked down a few that really should be locked. Google is an undeniably wonderful tool for helping people find anything and everything, but such power, especially when rolled onto desktop PCs in a corporate setting, can be abused as well. And it is the human urge to misuse technology that keeps security professionals working in overdrive.

Human failings of a less malicious kind are yet another headache for IT departments - from poor choice of passwords to dodgy downloads.

If the business of securing computers and networks is a lucrative one - something Microsoft has become keen to capitalise on of late - so too is the international business of high-tech cyber crime that underpins it. Cyber crime is a hot political potato too: the UK government has just updated the Computer Misuse Act to close a loophole regarding denial of service attacks and provide for stiffer penalties for hacking offences.

The rise of wi-fi, remote working and mobile technology has taken security concerns out of the office. Threats follow the data and if the data is out there somewhere, you can guarantee the threats won't be far behind...

Click on the links in the box for the security A to Z - from antivirus to zero-day.

Antivirus

Most computer users should be aware by now that antivirus software will help protect PCs from viruses and other malware transmitted over the internet from device to device.

When installed on a PC, antivirus software monitors and scans inbound, outbound and existing files to check for traces of infection - traditionally by using what is known as a 'signature database', a library of known malicious code used to identify suspicious files.

But since malware is ever-evolving, it is vital the database contains the latest threats - hence the need to download regular antivirus updates. And because signatures are seen as an increasingly outdated defence - by their very nature they are behind the threats - many AV vendors are producing more predictive technologies based on smarter analysis of data to second-guess potential threats before they strike – an approach known as heuristics.

Antivirus software also works by analysing what apps are trying to do - malicious programs can blow their cover by displaying suspicious patterns of behaviour (such as searching out executable or mail box files in order to propagate) or by containing code that sets alarm bells ringing (instructions to format a hard drive, for instance).

Once a virus has been detected the antivirus software will quarantine it, so it cannot spread, then attempt to erase it and repair any file-damage caused.

Nowadays it should be a matter of course for a company whose employees have web access to have up-to-date antivirus software installed across the network. The global antivirus market reached $3.7bn in revenue in 2004, according to market researcher IDC, which predicts it will swell to $7.3bn in 2009.

Botnets

A botnet - also known as a 'zombie network' or 'zombie army' - is a collection of internet-connected PCs that have been compromised by malware infection so they can be controlled remotely by a malicious outsider, often without the PC owners' knowledge. PCs not protected by adequate antivirus and firewall software are at greatest risk of being corralled into a botnet.

Armies of zombie PCs are used by cyber criminals for sending spam or viruses or committing denial of service attacks. Capacity on botnets is rented out to criminal gangs or individuals for as little as $100 for a couple of hours by their creator – often a very commercially motivated virus writer.

A zombie army was used in a high profile DDoS attack against Akamai Technologies last year, affecting the websites of some of its big-name tech clients.

CMA

The Computer Misuse Act 1990 (CMA) is, as its date stamp suggests, a 16-year-old UK government law dealing with malicious use of computers.

It started life as a Private Member's Bill, introduced by Tory MP Michael Colvin after the prosecution of two men - for hacking into British Telecom's Prestel video text system in the mid-80s - foundered under the Forgery and Counterfeiting Act. The men were able to successfully argue this Act had been misapplied to their conduct. Their case led to a review by the English Law Commission which recommended bringing in new legislature to specifically deal with computer hacking.

The CMA made it a criminal offence to intentionally gain unauthorised access to, or to modify, data or any program held in a computer.

Back in 2004, the All Party Internet Group made a series of recommendations for updating the CMA - to address a loophole around DoS and related fraud attacks, and to increase the prison term that can be meted out to hackers. APIG also recommended making hacking an extraditable offence.

The denial of service loophole was particularly problematic. DoS attacks, while undoubtedly disruptive, do not involve data modification so perpetrators were exempt from prosecution under the CMA. In 2005, the prosecution of a UK teen for launching an email bomb attack against his ex-employer failed for this reason.

Writing about the loophole in a silicon.com column last year, computer crime guru Neil Barrett called for "a specific alteration to the Computer Misuse Act so as to make denial of service - whether a 'simple' or an 'aggravated' offence - a criminal act".

The Police and Justice Bill passed onto the statute books on 8 November 2006, replacing section three of the Computer Misuse Act with new wording that tackles "unauthorised acts with intent to impair operation of a computer". The long-awaited CMA revamp means DoS attackers now face up to 10 years in jail.

Hackers can also expect more jail time - the update increases the maximum sentence for hacking a computer from six months to two years. The new law also makes it an offence to supply or make available software or tools that could be used to commit hacking or DoS attacks. Those found guilty under this section of the law face up to two years in jail.

DDoS

A denial of service (DoS) attack aims to render a web resource unavailable to its everyday users. It works by flooding a web server with more requests to serve a webpage than it can handle - meaning that during the attack period the hosted site will be dramatically slower to load or may not load at all. Another type of DoS attack - known as an 'email bomb' - targets an organisation's servers by sending more email than the systems can handle.

A distributed denial of service attack (DDoS) means multiple compromised PCs are used to overwhelm a website's bandwidth or resources. The machines used in such attacks are collectively known as a botnet or zombie network and will have previously been infected with malware - meaning they can be remote-controlled by the attacker.

The cyber criminal fraternity uses denial of service attacks as a weapon to blackmail ecommerce businesses, which rely on their websites being accessible in order to make money. Online gambling sites are popular targets - due to the nature of their business and the lure of ready money. But attacks are not always financially motivated - perpetrators can simply be seeking to cause disruption or make a name for themselves.

Extradition

The global reach of the internet has clear advantages when it comes to connecting up the world and enabling a worldwide exchange of data. But it has also given criminals the chance to exploit this connectivity - meaning they now have the opportunity to perpetrate cross-border crime without leaving home.

By its very nature, cyber crime is an international phenomenon - a virus, once unleashed, is not limited to a particular geographical region. '419' email scams may be associated with Nigeria, as the country where they commonly originate from, but victims of the fraud can hail from anywhere in the world.

The worldwide threat posed by web-based crime has led to Europe and the US backing an international anti-cyber-crime treaty in an attempt to improve cross-border collaboration.

Extradition comes into play when the government of a country affected by cyber criminal activity wants to prosecute an alleged perpetrator who resides elsewhere in the world. Countries rely on existing extradition treaties to do this - where there is no treaty in place between two nations there will be no chance of a cyber criminal being handed over for prosecution.

Back in 2004, a US attempt to extradite Hew Raymond Griffiths, a 42-year-old computer programmer from New South Wales, Australia, for his alleged role in leading the DrinkorDie piracy group, failed after an Australian magistrate ruled the US had not provided enough info about specific instances of his alleged copyright infringement.

A higher-profile extradition attempt by the US involved the so-called Nasa hacker Gary McKinnon, a UK national who lives in north London. The extradition process started in 2002, after McKinnon was charged by a grand jury in New Jersey with intentionally damaging a federal computer system. The alleged hacks included breaking into systems belonging to the US Air Force, the US Army, the US Department of Defense, the US Navy and Nasa.

In 2005 McKinnon's extradition hearing began in London. His lawyers argued extradition would breach his human rights owing to the possibility of him being tried under US anti-terrorism laws which could see him being treated as a terrorist and jailed for up to 60 years. However this argument failed to sway the court. The presiding judge acknowledged McKinnon is likely to face a harsher sentence in the US than he would in the UK but he said: "It must be obvious to any defendant that if you chose to commit a crime in a foreign country you run the risk of being prosecuted in that country."

McKinnon's extradition was rubber-stamped back in July by Home Secretary John Reid - though he has yet to be handed over to US authorities.

A silicon.com reader poll showed strong sympathy for McKinnon's plight - with 65.5 per cent of respondents saying he should not face extradition to the US and should instead stand trial in the UK and serve any sentence here too.

Further controversy surrounds the McKinnon case because he is being extradited under the UK Extradition Act 2003. This was rushed into law after the terrorist attacks of 11 September 2001 and does not include a requirement for an extradition request from the US to contain prima facie evidence of the charges. The Act has also not been ratified by the US government, so while McKinnon is being extradited to the US under its terms, the UK government cannot extradite a US citizen to the UK.

Federated identity

Federated identity is all about trust.

It refers to the process of using a single ID to authenticate a user across multiple systems - be they IT systems on a network, a group of websites or even different organisations.

In order for this linking up of services to be possible, a group of service providers must get together and agree to accept a single authenticating ID for a user.

The main advantage of a federated identity is convenience - since users of services that have agreed to link up in this way don't have to manage a raft of ID credentials in order to access each resource. Federated identity also facilitates a more personalised service for users, without the security risk of storing a large amount of a user's personal data in one place - a bit like a jigsaw puzzle making up a picture by the joining of each small piece.

But - as with any issue of trust - not everyone buys into the logic of federating identity in this way, as standardisation inherently introduces an element of insecurity.

Click here to read silicon.com's federated identity Cheat Sheet.

Google

What's Google got to do with security? Well rather a lot, when you consider the amount of data the search engine makes available to anyone with a net-connected PC and a curious mind. Phishers, for instance, are using it to get more sophisticated in targeting their victims (a technique which became prominent in 2005, known as spear phishing) and a bit of 'quality Google time' can unearth a surprising amount of data on an individual or company.

But when it comes to corporate security, it's Google Desktop that's keeping techies awake at night. The search app extends the Mountain View muscle to all the files contained on a PC's hard drive - putting corporate data security at risk, according to UK heads of IT polled by silicon.com.

And they are not alone in expounding that view: at the start of this year, a university and a manufacturing company in the US banned Google Desktop for the risk it posed to sensitive data and the fear it might be trampling on US privacy regulations.

Hackers

Hacking doesn't just mean breaking into computer systems - it can refer to any action that achieves an outcome by deviating from the intended path.

Computer hackers write, use and modify software to break into computer systems - often exploiting flaws in another programmer's code. The security troubles that have dogged Microsoft's Internet Explorer web browser, for instance, are caused by hackers writing pieces of code that exploit vulnerabilities in IE's code, enabling them to use the browser as a springboard to carry out a malicious action - such as hijacking a user's PC.

Although many hackers are malicious - intending to cause disruption or hijack PCs for their own ends - some can simply be out for the challenge of cracking a particular security system. In the corporate world, so-called ethical (or professional) hackers are even employed to probe corporate security systems for flaws - a business known as penetration testing. This year, the UK's first ethical hacking degree was launched by the University of Abertay in Dundee in response to industry demand for IT security experts.

Notable not-so-ethical hackers include Gary McKinnon, the 'Nasa hacker' and Kevin Mitnick, who served five years in jail for his hacking exploits. Since being released from jail, Mitnick has carved a career for himself in the security industry - a path followed by many former hackers.

A recent update to the UK's Computer Misuse Act has increased the maximum jail term for hacking a computer from six months to two years.

As corporate email security has improved, and users have got more savvy about not opening every email attachment that lands in their inbox, malware writers have had to turn their attention to other avenues of attack. And the rise of IM, or instant messaging, has given them a new target - not least because of its increasing popularity in the corporate sphere.

IM clients are the playground of IM viruses. This malware is spread by an IM user clicking on an executable file attachment or a hyperlink in a chat window which then links through to a malicious website, and the ways of getting those links in front of the end user are becoming increasingly sophisticated.

Last year, warnings of a new breed of IM worm that attempts to chat with its victims surfaced, suggesting new and more sophisticated IM worms could well be on the way.

Jaschan (Sven)

German teen Sven Jaschan was responsible for writing and unleashing the Sasser virus back in 2004.

Sasser blew the simmering lid off malware - wreaking high-profile havoc in businesses and organisations across the world. Disruption caused by the worm included the shutting down of 130 offices of insurance company IF; the cancelling of several Delta Air Lines transatlantic flights; and the satellite communication of the AFP news agency being blocked for hours.

The teen was arrested after a three-month international investigation that saw Microsoft slapping a $250,000 bounty on the Sasser writer's head. Jaschan even landed himself on the 2004 silicon.com Agenda Setters list for the dubious honour of being the first person caught as a direct result of Microsoft's largesse.

Jaschan was tried in Germany in July 2005 and pleaded guilty to charges including computer sabotage and disruption of business. There was speculation he would serve time behind bars. But the teen was in fact handed a suspended sentence - a punishment that caused widespread anger in the security community.

Jaschan managed to generate further headlines by netting a programming job with computer security company Securepoint - which also caused much head-shaking and soul-searching among security professionals.

In the wake of the controversy, the question 'would you hire a reformed virus writer?' split silicon.com's CIO Jury down the middle.

Kids

Computer misuse was once seen as the domain of disenchanted teens causing havoc from the darkness of their grotty bedrooms. Many of the earliest instances of malware being released were traced back to virus writers in their late teens.

But the rise of the internet, and big business' reliance upon it, has facilitiated a paradigm shift - computer crime has mushroomed from the act of 'angry young men' to become a fast-growing branch of international organised crime. The growth and popularity of ecommerce and online banking has further fuelled the cyber crime boom as traditional frausters take their tricks online - and learn a few new ones.

Writing last year, silicon.com columnist Simon Moores described how "the internet has given organised crime a profit margin that legitimate business can never expect to equal", and said "quite literally hundreds of billions of dollars are hidden in offshore accounts", adding: "This money fuels other criminal ventures, from paedophile pornography to drugs trafficking".

And it is the net's promise of filthy lucre that has turned computer misuse from child's play into organised global crime.

Love Bug

ILOVEYOU. Loveletter. Love Bug. All names used to refer to a computer virus that used social engineering to trick computer users into opening an infected attachment entitled LOVE-LETTER-FOR-YOU.TXT.vbs - in this case playing on people's desire to feel loved.

The Love Bug was fiendishly effective. The worm, which only affected systems running Microsoft's Windows OS, surfaced in Hong Kong on 3 May 2000 and, propagating via email contact lists, spread westwards across the globe as office workers logged on in the morning and checked their email – a common phenomenon in the virus world, called 'following the sun'.

As well as causing overloaded email servers to grind to a halt, the virus overwrote files with a copy of itself. One training company had its entire image library wiped out. And even the Pentagon was not immune to the Love Bug's charms.

The worm's cost to businesses is thought to have been around $8.5bn - making it the most expensive piece of malware to be unleashed to date. It was also the first time a computer virus became the day's top story for newspapers and television stations, marking a shift to mainstream awareness of computer viruses.

A 23-year-old computer programming student from the Philippines, Onel de Guzman, was charged in June 2000 with releasing the Love Bug but the case against him was dropped as the Philippines had no law against virus writing. Authorities there also failed to prosecute Reonel Ramones, who was accused of authoring the worm.

Microsoft

Microsoft's role in unwittingly creating a hole for the security industry to fill cannot be underestimated. By producing an operating system that was ubiquitous and yet, when coupled with the rise of the internet, all too vulnerable to attack, the software behemoth generated a need that other businesses gladly stepped in to service.

For many years an embarrassed Microsoft struggled to up its security credentials - spending on training its programmers to write more secure software and launching its so-called Trustworthy Computing Initiative, which focused on improving the security and reliability of its products including conducting 'security audits' of software prior to release to nail down as many bugs as possible.

The release of Windows Server 2003 was delayed three times, due in part to efforts by Redmond to improve its security and reliability.

The company also developed working relationships with some of the big names in security - encouraging Windows users to deploy third-party firewalls and other 'shields' to stop hackers from reaching potentially vulnerable PCs.

But in summer 2003 there was a subtle shift in Microsoft's security agenda: the acquisition of an antivirus company called GeCAD signalled a new intention - namely that it was planning to cut its own slice of this lucrative market. The unleashing of the MSBlast worm shortly afterwards - which exploited a massive vulnerability in Windows to infect millions of home PCs and taunted Microsoft with the message: "billy gates why do you make this possible? Stop making money and fix your software!!" - clearly added to the sense of urgency in Redmond.

Since then Microsoft's momentum in the security space has seen it gaining ground significantly. In 2004 it bought Giant Software - a maker of anti-spyware, anti-pop-up and anti-spam tools, announcing soon after that this software would be free to all licensed Windows users. It also bought Sybari Software to bolster its corporate security offering.

This summer Microsoft launched Windows Live OneCare, a consumer security package that includes antivirus, anti-spyware and firewall software. And it has made security a focus of the refresh of its web browser: Internet Explorer 7 has built-in anti-phishing features. It has also been snaffling up smaller players in niche areas such as VPN security, helping to broaden its offering so it can grab an even bigger piece of the pie.

The incarnation of Microsoft the security vendor has inevitably led to increased rivalry with the rest of the security industry - which for years dined out on the insecurity of Redmond's wares.

This rivalry has been hotting up of late as Microsoft has talked up the security credentials of Windows Vista. Security vendors complained they were being locked out of the kernel of the next-generation OS. Vista has even drawn unwanted attention from the European Commission, which has expressed anti-competition concerns over its built-in security features.

Neologisms

An inordinate number of new words and terms are continually being forged to keep pace with the dubious activities of spammers, scammers and malware writers.

Some common security-inspired neologisms you still won't find in the average dusty dictionary are: adware, spyware and malware. But there are many, many more - and many more obscure ones too.

Another common industry-inspired term, 'spam' - which derives its name from the Monty Python spam sketch - has in recent years spawned a couple of lesser known siblings: spit and spim - or 'spam over internet telephony' and 'spam over IM'.

And then there are the 'ph' words - phishing, phreaking, pharming - which strap themselves into the hacker convention of using 'alternative' phonetic spellings.

Some more portmanteaus - hacktivism and hackmail - describe politically motivated hacking, and the act of blackmailing a website for money by using a threat to take it offline, as experienced by many an online gambling site.

A few more colourful neologisms include bruteforce, honeypot, logicbomb, scriptkiddie, sniffer and zombie.

And there's a whole host more...

Let us know your favourite security-inspired neologisms by posting a Reader Comment below or emailing us at editorial@silicon.com.

Orange

Mobile phones have been getting smarter but people, it would seem, have not. Smart phones and PDAs may be able to do all sorts of nifty things with your data but that doesn't mean you won't leave them in the back of a cab or on a pub table. This is where mobile device management - or MDM - comes in.

MDM services enable operators to wipe sensitive data from lost or stolen devices, effectively safeguarding corporate secrets from curious thieves. Back in September a Visiongain report predicted that by 2009 operator and enterprise MDM will be worth $1.3bn - and will grow dramatically after that.

But mobile security is about more than just cleaning up after the event.

Mobile malware has been on the threat radar since 2004 - when the Cabir smart phone worm, which used Bluetooth to attempt to spread between Symbian Series 60-based mobile phones, surfaced - albeit tagged as 'very low risk'.

Mobile viruses have provoked much debate around whether they are an actual or theoretical threat. Many in the industry have accused antivirus companies of massively over-hyping the issue, or else are sceptical that a real risk is currently posed to users.

Mobile operator Orange, however, has been taking the threat more seriously.

Back in July Orange signed a deal with F-Secure to provide security for its users' smart devices at a cost of £1.50 per month - saying, although the risk is "reasonably low", it hopes to act before mobile viruses become a serious problem.

Orange is the first UK operator to attempt to flog mobile antivirus to its customers. Whether it's being prescient or opportunistic remains to be seen.

Passwords

Passwords cause problems. From the IT department headache that is password management - and the many man-hours devoted to carrying out password resets for forgetful users - to plain old human laziness in using the same password for a range of logins, or even using 'password' as a password, passwords are only as good as their all-too-human owners - and even then a hacker using a keylogger, say, can make off with their secret.

In business, the debate about how to encourage password best practice oscillates between teaching users to be 'creative' in making passwords that are adequately complex, to telling users to write down passwords somewhere secure or to use password management software so they don't resort to choosing easy words or using the same password for several logins.

But this is fighting a losing battle, say some.

Back in May, Gartner research VP Jay Heiser said passwords are "fatally flawed" and can't stand up to "motivated attackers". The drive to develop new ways of authenticating users - such as two-factor authentication or human biometrics - is in part fuelled by awareness of the weakness of systems built on crackable password security.

A recent silicon.com leader predicted passwords will be replaced with biometrics or other technology in the long term. Just how long remains to be seen.

Questions

Back in 2004 silicon.com gathered a panel of security experts to address an email inbox stuffed with your security queries. A three-part feature followed - addressing such questions as 'How do spammers get my email address?', 'What's the most ridiculous kind of scaremongering you've heard in the antivirus world?' and 'How easy is it to spoof an IP address?'.

Read parts one, two and three here - and if you still have any unanswered security questions feel free to submit them to editorial@silicon.com.

Also check out this Q&A with reformed hacker Kevin Mitnick answering a smorgasbord of security questions - from the role of Microsoft to the evolution of social engineering and the next big security threat.

Rootkits

A rootkit is a toolkit for hackers - a set of programs used to conceal processes, files or data on a hacked system, so the intruder can, for instance, maintain undetected backdoor access. But it's not just the cyber underworld that makes use of rootkit technology.

Rootkits hit the public radar late last year when it was discovered a Sony BMG anti-piracy rootkit embedded on some of its music CDs was being exploited by Trojan horse viruses.

Users who had installed Sony software so they could listen to their music on their PCs also unwittingly installed a digital rights management (DRM) program designed to limit the number of copies of the CD they could make and prevent them making unprotected MP3s. Several Trojans piggybacked on Sony's DRM tech, cloaking themselves and their nefarious activities. Microsoft even updated its security tools to remove the Sony rootkit, dubbing it a Windows PC security risk.

The issue led to a deeply apologetic Sony recalling millions of CDs and agreeing to pay damages to angry customers.

Spyware

Spyware is software that covertly tracks and monitors the actions of a PC user, using the internet to secretly send this intelligence to a third party. It will get onto a user's machine through any number of underhand tactics.

At its most malicious the application will steal passwords and personal data such as financial information related to internet banking or ecommerce, facilitating fraud and identity theft.

Spyware is now smart enough to recognise when a user is on a transactional website and will use that as a prompt to start relaying keystrokes or screenshots back to its master.

This issue is confused by the grey area of adware, which is often also installed on a user's machine without their full awareness. However, adware, though highly controversial is by and large legal and will normally only relay information such as surfing habits in order to serve annoying pop-ups and redirect browser sessions. Its intent appears to be to annoy the user by bombarding them with unwanted ads rather than to defraud them.

Both spyware and adware applications will go to some lengths to disguise their installation. Often they are bundled with a download the user does want, or thinks they want.

Speaking last year, Tori Case, director of security management at CA, said: "What one person calls spyware, another calls adware, another calls surveillance software and yet another says it is not anything. That has led to a lot of confusion. If we could all agree, that would allow us to focus our energy on making better products and actually protecting against this stuff."

A movement against spyware has, however, been gathering momentum - in 2005 a coalition was formed with the aim of creating a definition of spyware and developing guidelines to control its use. Early this year the coalition finalised a set of detection guidelines.

For more on spyware, read the silicon.com Cheat Sheet.

Two-factor authentication

When it comes to beating fraudsters, if one security measure is good, two is better, right? That's the principle of two-factor authentication, which is getting big in the online banking world.

It works alongside usernames and passwords as a second level of security, helping to ensure a user of a service such as e-banking is the person they say they are.

The second level of security can be anything - from hardware that generates a single-use number to a series of pre-selected security questions. Typically though it is the physical devices – tokens and password/PIN generators – that are most commonly discussed.

It's early days for the tech, but it already has its critics. Back in 2005, security guru Bruce Schneier gave it a vote of no confidence, saying it is "designed to solve the issues from 10 years ago".

Click here to read the two-factor authentication Cheat Sheet.

USB sticks/devices

Mobile storage devices such as the humble USB stick or iPod might not seem much of a security risk but as the amount of data they are able to absorb has increased they have become a very effective tool for covertly making off with files from the corporate network.

The problem here is the combination of growing storage capacity with the fact that devices such as USB memory sticks, cameras and iPods look pretty inconspicuous in the hands of an employee. Ninety-nine times out of a 100 there may be nothing to worry about but if an employee does 'go rogue' those devices may be the most effective tool at their disposal.

Similarly, inbound data could also be a problem. Employees transferring files from home on a mobile device may not be aware there is also malware on the device they are introducing to the corporate network. Also, files transferred could include those in breach of copyright – such as music files, or pirated software – and companies might not fancy facing possible prosecution for the actions of their employees.

As such, many call centres and other offices where sensitive information is accessed – including some government departments - have now taken to banning such devices. Other extreme measures have included companies pouring superglue into USB ports to permanently disable them.

A security industry veteran has even created an app that searches corporate networks for files likely to contain business-critical data and downloads them to an iPod at a rate of around 100MB every two minutes - a process dubbed 'pod-slurping'.

Virus variants

As well as being virulent, viruses can spawn a sequence of variants - tweaks on the same malware theme that aim to outfox security measures and spread yet more infection.

When a virus first appears, security companies mark its name with the suffix '.A' to denote it is the first such strain of that particular virus. Each subsequent variant is then appended with an alphabetically ascending designator, so the next iteration of 'Leap.A' would be 'Leap.B' and so on. Depending on their signature files different security companies can know the same virus by different names. (Find out more by reading our Cheat Sheet: Virus names and alerts.)

A virus can be named after a string found in its code, the payload it delivers or the effect it has. It can also be popularly known by one or several names while having a more technical moniker too - the virus VBS/VBSWG.J, for instance, is also known as the 'Kournikova' virus, so named because of the promise of a naked picture of tennis star Anna Kournikova used to induce its victims to click.

Wi-fi

Wireless internet has been helping unchain workers from their desks and getting rural areas of the country online. It's also given silicon.com columnist Peter Cochrane a virtual pipe down which to dispatch his latest missive.

But it's not all a bed of roses.

As wireless networks proliferate and the use of wi-fi becomes more widespread, there are implications for security as regards both the integrity of a corporate network that incorporates wi-fi, and the risk of using external wi-fi - via free hotspots and the like - to conduct corporate business when outside the office.

Earlier this year fears arose over rogue wi-fi hotspots that could be used to steal corporate data from unwary wireless users. But corporate wi-fi networks can themselves be vulnerable to hackers if they do not use data encryption or a security key for the network.

According to research by RSA Security, reported in May, 26 per cent of wireless networks used by business networks in the City of London are unsecured, and 22 per cent of access points still have default settings, making them vulnerable to hackers.

Intellectual property theft is another risk when it comes to unsecured wi-fi. Back in February, a leading City law firm warned companies could face huge legal costs over unguarded use of public wi-fi networks, saying: "The country's hotels and waiting rooms are full of people rummaging through the contents of each others' laptops."

On the hardware side wi-fi has also proved a bit of a thorn in the side of computer makers. A vulnerability in the Apple AirPort driver software shipped with wireless cards for PowerBooks and iMacs was identified earlier this month. And last month Apple owned up to a trio of flaws that could allow Macs to be hijacked over wi-fi. Meanwhile, at the start of this year, Microsoft admitted there is a flaw in the way Windows handles wi-fi connections.

OS X

There are few tech rivalries that involve as much shameless mud-slinging as the Mac vs PC security show.

According to Apple, it goes a little something like this...

PC: Achoo!... I have that virus that's going around... You better stay back: this one's a doozey... Last year there were 114,000 known viruses for PCs...

Mac: For PCs, not Macs... I run Mac OS X so I don't have to worry about all your spyware and viruses...

Since 2001, Apple has been selling Mac OS X. OS X had its first official release in March 2001 (as 'Cheetah'), followed by four updates: 'Puma' in September 2001; 'Jaguar' in August 2002; 'Panther' in October 2003; and 'Tiger' in April 2005. The next big cat to leap out of CEO Steve Jobs' bag of tricks is 'Leopard', due around New Year.

Apple's marketing for the Mac relies on heavy boasting around its security credentials coupled with low-level sniping at Microsoft's expense. The blurb on Apple's website is typical of its message: "Mac OS X was designed with security in mind. Windows just wasn't built to bear the onslaught of attacks it suffers every day. A Mac offers a built-in firewall, doesn't advertise its existence on the net and isn't compromised within an hour of being turned on."

It adds that OS X has "a superior Unix foundation" - superior, that is, to Microsoft's glitch-ridden Windows operating system which when connected to the net "using factory settings is like leaving your front door wide open with your valuables out on the coffee table..." But Apple would say that right?

Yet Apple's marketing message has more than a grain of truth according to silicon.com columnist Seb Janacek. Writing about the state of OS X security last summer, he quoted a product manager from security company Sophos as saying: "The technical challenges of producing malware for the OS X operating system are more difficult than for Windows. Both Mac OS X and Linux are much more secure than Windows... You would have to be genuinely clever to write an OS X virus and most virus writers are not."

A more recent airing of this view came from the writer of a proof of concept piece of Mac malware - which reportedly contained the message: "so many problems for so little code".

Another feather in the OS X security cap is the fact that users are not logged on as the root user, effectively isolating the amount of damage an attacker can do. Meanwhile, says Janacek, the OS' Unix core has "been lovingly audited by the devoted open source community for years".

However, early this year the Mac community was rocked by the claim that the first virus to target OS X had been found in the wild. The malware, known as 'Leap.A', spread via Apple's iChat IM client. A proof of concept piece of OS X malware followed, along with the discovery of a serious flaw in the operating system. Predictions of the beginning of the end for Macs' security 'immunity' duly followed.

The argument frequently used as a stick to beat the Mac faithful - or more likely whip them up into a frenzy - is that as long as Macs are in the minority, virus writers can't be bothered to turn their firepower on them, instead targeting Windows PCs since they are so ubiquitous.

But as Apple grows market share in the personal computer market, the argument goes, Mac users should expect to see more malware.

Due to the strength of feeling on both sides, this is definitely a good debate to file under 'let's wait and see'.

You

You are the weakest link in the security chain - for the simple reason that it's easier to trick a human than a machine. A system is only as secure as its users are security savvy - and when it comes to computers something as rudimentary as a poor choice of password can create a flimsy door into a corporate network that even the most amateur of hackers can kick down.

But it's not just hackers breaking and entering - online fraudsters rely on duping end users to perpetrate their scams. Phishing is a technique that relies exclusively on tricking humans. Phishers send emails spoofed to appear as if they come from reputable outlets - such as banks or ecommerce companies - and the unwary reader is then hoodwinked into handing over confidential info such as bank account details and passwords. This allows the fraudster to skip past security systems without the hassle of having to crack them. (For more on phishing, read our Cheat Sheet.)

Another online con relying on the credulity of human nature is the so-called Nigerian 419 scam. Typically these scams originate as spam email that tells a long and convoluted story about a vast amount of money stuck in some far off African state, a share of which could find its way into your bank account if only you follow their instructions... (which usually involve requests for personal details and some kind of 'transaction fee').

Once someone takes the bait and replies to the original email the scam develops as the scammers attempt to cream off as much cash as they can by requesting advance fees. One 419er was so effective it took down a bank in Brazil. Armed with your bank account details and a photocopy of your passport and driving licence it also doesn't require a huge leap to commit identity theft.

To find out what happened when silicon.com replied to a 419 scam email click here.

Other common security slips made by users include opening infected email attachments and clicking on malicious links in spam email. This PR stunt, carried out by IT skills specialist The Training Camp at the start of this year, effectively illustrated the problem of staff not having a 'safety first' attitude when using the corporate network.

Human gullibility is not the only problem however - the end user is even more of a security risk if they are acting with malicious intent. A silicon.com analysis earlier this year warned businesses to consider threats 'from within' - such as employees with a grudge or those seeking to defraud the business.

The term for the criminal intent to 'hack the human' part of the security chain is social engineering. The techniques used vary widely but the premise is to apparently offer something desirable to a large number of users (such as pictures of naked celebrities) in order to trick them into clicking.

Zero-day

Zero-day is a high alert label. It's used to refer to the fact a bug in a piece of software has been unearthed and is at risk of being exploited by hackers before a patch to fix it is available.

A full-blown attack against an unpatched flaw may even be underway - a zero-day exploit and a zero-day attack have both surfaced recently.

The result of any zero-day alert is a scramble to get a patch out fast.

If the security risk is particularly critical, a third-party security company may step in and issue an unofficial quick-fix interim patch which users can download and install for temporary protection until the bona fide fix is available.

Back in September, the aptly named Zeroday Emergency Response Team, or Zert, released a quick-fix for an Internet Explorer flaw. Microsoft got its own patch out a few days later - slower than Zert but still ahead of Patch Tuesday, its regular monthly patch-issuing day.

Another issue here is with disclosure – when knowledge of vulnerabilities becomes public domain (and hackers and security professionals know the race is on). Responsible disclosure will typically involve security researchers informing the company whose software is vulnerable what flaw they have found. Irresponsible disclosure will see a vulnerability discovered and its details posted online or otherwise revealed in a public forum.

The line between the two is not always so clear though, and improper disclosure could often be responsible for this zero-day lag between vulnerability discovery and patch availability.

Editorial standards

Show Comments

Logitech Mevo Core Streaming camera on a tripod on set

The A to Z of security

Related

I fly 10 times a year. These 5 tech gadgets are lifesavers

4 ways to connect to the internet for less after the Affordable Connectivity Program expires

How one company's employees use Microsoft Copilot to avoid the worst part of meetings