Thursday, 14 March 2013 12:05

Hackers Focus On Third-Party Targets

Written by 
Rate this item
(0 votes)
Hackers Focus On Third-Party Targets

Significant flaws in Microsoft Operating Systems and programs are becoming a smaller portion of the total. Secunia reports that 86 percent of active vulnerabilities in 2012 affected third-party products such as Java, Flash and Adobe Reader. In 2007, third-party vulnerabilities made up less than 60 percent of the total.

On the plus side, the dangerous window between discovery of a vulnerability and creation of a patch is getting smaller. Secunia reports same-day patch availability for 80 percent of these threats in 2012, up from a bit over 60 percent in 2007. 

It is not surprising to learn that the total number of known vulnerabilities continues to grow year after year, or that most rely on a remote network attack to penetrate vulnerable networks. 

SCADA Insecurity

The 2013 review reports on vulnerabilities in SCADA (Supervisory Control And Data Acquisition) systems. These systems control factories, power plants, nuclear reactors, and other highly significant industrial installations. The infamous Stuxnet worm destroyed uranium enrichment centrifuges in Iran by taking over their SCADA controllers.

According to Secunia, "SCADA software today is at the stage mainstream software was 10 years ago... Many vulnerabilities remain unpatched for longer than one month in SCADA software." A time-to-patch chart of representative SCADA vulnerabilities reveals that several in the high risk category remained unpatched for over 90 days.

In theory, SCADA systems should be less vulnerable because they're not connected to the Internet. In practice, that's not always the case, and even a local network connection could be compromised by attackers. A total "air gap," with no network connection whatsoever, didn't protect the Stuxnet centrifuges. They fell victim to infected USB drives unknowingly inserted by technicians. Clearly SCADA software vendors have some work to do as far as maintaining security and pushing out patches.

Hackers Go for the Zero-Day Gold

A zero-day vulnerability is one that's just been discovered, a vulnerability for which no patch exists. Secunia's report includes an informative chart that reports the number of zero-days found each year in the top 25 most popular programs, and in the top 50, 100, 200, and 400. The overall numbers differ year over year, peaking in 2011 with 15 zero-days.

What's more interesting is that within a given year, the numbers hardly change as the pool of potentially-compromised programs grows. Almost all of the zero-days affect the most popular programs. That actually makes a lot of sense. Discovering a program flaw that nobody else has ever found requires a lot of research and hard work. It only makes sense for hackers to concentrate on the most widely-distributed programs. An exploit that takes total control over the victim's system isn't worth a lot if only one system in a million has the vulnerable program installed.

Read 2364 times Last modified on Friday, 15 March 2013 14:05
Rich Wermske

My pedigree and bona fides are published elsewhere. That said, I respect that a few may wish to learn more about the private person behind the writing.  While I accept I am exceptionally introverted (tending toward the misanthropic), I do enjoy socializing and sharing time with like-minded individuals. I have a zeal for integrity, ethics, and the economics of both interpersonal and organizational behavior.

The product of multi-generational paternal dysfunction, I practice healthy recovery (sobriety date December 11, 2001).  I am endogamous in my close personal relationships and belong to a variety of tribes that shape my worldview (in no particular order):

☯ I participate in and enjoy most geek culture. ☯ I am a practicing Buddhist and a legally ordained minister. I like to believe that people of other spiritual/faith systems find me approachable.  I am a member of the GLBTQA community -- I married my long-time partner in a ceremony officiated by Jeralita "Jeri" Costa of Joyful Joinings on November 18, 2013, certificated in King County, Seattle WA. We celebrate an anniversary date of February 2, 2002.  I am a service-connected, disabled, American veteran (USAF).  I am a University of Houston alumnus (BBA/MIS) and currently studying as a post baccalaureate for an additional degree in Philosophy and Law, Values, & Policy.  I am a retired Bishop in the Church of Commerce and Capitalism; the story arch of my prosecuting and proselytizing the technological proletariat is now behind me.  I am a native Houstonian (and obviously Texan).  At 50 years old, I am a "child of the sixties" and consider the 80's to be my formative years.

As I still struggle with humility, I strive to make willingness, honesty, and open mindedness cornerstones in all my affairs. Fourteen years of sobriety has taught me that none of "this" means a thing if I'm unwilling, dishonest, or close minded.  Therefore I work hard on the things I believe in --

  • I believe we can always achieve more if we collaborate and compromise.
  • I believe that liberal(ism) is a good word/concept and something to be proud to support.  The modern, systematic corruption of liberal ideas is a living human tragedy.
  • I believe in a worldview founded on ideas of liberty and equality. The pragmatism of this site and my journey is rooted in both classical and social liberalism.
  • I believe in democratic elections and institutions including a media free of commercial and governmental bias.  Liberty and equality perish when a society becomes uneducated and/or ill-informed.
  • I believe in diversity of life and ideas.  Life and ideas can only flourish when the gene pool is vast and abundantly differentiated.
  • I believe in advancing balance in civil, social, and privacy rights such that all of humanity is continuously uplifted.
  • I believe in separation of church (spirituality) and state (governance) -- with neither in supremacy nor subjugation.
  • I believe in private (real or tangible) property explicitly excluding ideas, knowledge, and methods; such non-tangibles, by natural law, being free for all humanity and emancipated at conception.

While change and the uncertainty of the future may be uncomfortable, I do not fear the unknown; therefore:

    • I believe I must be willing to make difficult choices, that those choices may not be all that I desire, and that such may result in undesirable (or unintended) consequences;
    • I believe we must be willing to make mistakes or be wrong; and I am willing to change my mind if necessary.
I undertake to abide the five precepts of Buddhism; therefore:
  1. I believe it is wrong to kill or to knowingly allow others to kill.
  2. I believe it is wrong to steal or to knowingly allow others to steal.
  3. I believe in abstention from sexual misconduct.
  4. I believe it is wrong to lie or to knowingly allow others to lie.
  5. I believe in abstention from non-medicinal intoxicants as such clouds the mind.

Suicide, major depression, borderline personality, and alcoholism are feral monsters ever howling at my doorstep. However, despite my turbulent and tragic past, rare is the day where I have to rationalize, defend, or justify the actions of that person I see looking back at me in the mirror...

Website: www.wermske.com
Network neutrality is the principle that Internet users should be in control of what content they view and what applications they use on the Internet. The Internet has operated according to this neutrality principle since its earliest days. It is this neutrality that has allowed the internet to innovate and grow. Without equal access the internet dies.