TippingPoint’s DVLabs ran their annual contest yesterday at CanSecWest. The results were scary, but not unexpected. The rules are that the contestants must hack one of the provided systems using a zero day attack, which is essentially an exploit of a vulnerability that has been undisclosed to the public. It took mere minutes for exploits of Apple’s Safari, Microsoft’s IE8, and Firefox to result in full compromise of the target Macbook and Sony Vaio allowing the exploiters to go home with $5,000 for each new exploit and a new Macbook and Vaio for the first to exploit those systems.

This was a good example of how cyber attacks have shifted to target the online user and not enterprise exploitations. None of the winners even tried to brute force attack the OSX or Microsoft Vista operating systems as by this time, those systems are locked down pretty well. Instead they focus on the browser environment and this highlights why Phishing, which I talked about in my last blog post, is the first step of the fraud value chain in obtaining personal information.

How many people can honestly say they haven’t linked to a site that they aren’t 100% certain of the content? Have you ever linked to something through a social media site, a chat group, a support forum, through a friend in e-mail? It is no mystery why botnets are such a problem. This has become big business and harvesting identities is the first step to much of today’s online fraud.

What can you do personally? That’s a good question. First, stay up on all the latest patches of your operating system and browser technology. In general, security professionals find Firefox to be better than IE as a browser technology. I use Safari, but as you can tell from the above article, they were all compromised. Second, I think it is wise for anyone to regularly monitor both their credit card statements to protect against unauthorized charges as well as subscribe to a credit monitoring service. Lifelock is an example of a well known service. Finally, as I mentioned many times before, we need to move away from using identity based information in legitimate systems. The one time I have been a potential victim of credit card theft is when my university, who used my SSN as an ID, had these records stolen out of their database. The less we rely on this personal information online, the less valuable it will be and the less it will be stolen.

This entry was posted on Thursday, March 19th, 2009 at 7:21 am and is filed under Financial Services, Online Communities, Online Gambling, Online Gaming, Online Retail. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.