It’s been another slow week in the security arena, which
gives us a chance to be proactive and focus on potential upcoming threats.
Symantec’s release of its semiannual security report offers up a host of threats
to guard against, and a new academic paper presents a new vulnerability to
start thinking about.

Symantec summarizes security issues

Twice a year, Symantec publishes a summary of security
threats reported by its clients. The report offers a good picture of how attackers
are concentrating their efforts and therefore informs companies of where they need
to focus their own efforts.

Released last week, Symantec’s report covers the first half
of 2005. One interesting aspect of the most recent data is that it shows a shift
from general attacks against networks to more targeted desktop attacks.

The most sophisticated threats increasingly gather data that
attackers can use to steal identities or access credit card accounts. In other
words, the most dangerous threats—the economic ones—are increasing, which
indicates a growing sophistication among malicious hackers as well as an
economic incentive behind their attacks.

Of course, this intensifies the vulnerability of online
purchasing at a time when it’s likely to increase due to the surge in gasoline
prices, which makes trips to the mall more expensive. More important, however,
is the fact that hackers with economic motives (as opposed to ego-driven
attacks) are less likely to brag about their exploits—and therefore are more
difficult to catch.

The report also reveals a 680 percent increase in daily
denial of service (DoS) attacks, which could also have an economic motive if competitors
are encouraging the attacks. For more details and more information on other trends,
see the
Symantec report

Looking on the bright side, my own personal check of
Symantec’s database shows progress against malware. There have been no serious
virus or worm attacks reported in the past 30 days.

Can you hear me now?

If you’ve ever thought that some of my security warnings
were the wild delusions of a terminally paranoid nut, consider this: Researchers
will present a University of California Berkeley paper at the November 2005 ACM
Conference on Computer and Communications Security that shows it’s possible to
determine what someone has entered into a computer using only a 10-minute audio
recording of keyboard use. And that’s with a cheap microphone—no sophisticated
equipment is necessary.

As a friend of mine who used to work for that big, unnamed
government agency headquartered at Maryland’s Ft. Meade reminded me the other
day, the government has long known that timing keystrokes can provide a lot of
information about the data someone has entered. Titled “Keyboard
Acoustic Emanations Revisited,”
the paper reports that a 10-minute
audio recording of keyboard sounds allow researchers to analyze the input text
with more than 95 percent accuracy. That means that someone could rather easily
guess passwords just from the sound of users entering them. (If you have
trouble accessing the PDF report, here’s a link to the cached
HTML version

This analysis by itself isn’t surprising, but the
researchers have shown that—unlike earlier tests—this does not require creating
a baseline by first recording someone inputting known text (the cryptographic
equivalent of having a copy of plain text and the resulting cryptogram). In
this case, the researchers’ only restriction was that the keyboard input be in
English. (However, based on their technique, I would say this would also work
for other languages; it would just require basing the analysis on different
frequency charts.)

Let’s be clear on the implications: The paper shows that
someone could record your keyboard input—possibly over an intercom or telephone
connection and certainly over a wireless microphone—and, at some time in the
future, could discover what you had entered with a level of accuracy
approaching that of OCR conversion of printed pages.

Microsoft drops weak encryption

While users are always complaining about Microsoft security
threats, many of them ignore the fact that most of the big problems have to do
with legacy support. That is, they ignore that fact until Microsoft finally
kills off backward compatibility for some much-abused feature, at which time
the real screaming begins.

Well, Microsoft has taken another step to improve security
by telling developers they can no longer use weak
legacy encryption tools
, including DES, MD4, MD5, and even SHA-1 (in
many applications). The move is certain to cause some complaints, but it’s
essential to improve security.

New Firefox version fixes more flaws

For those of you keeping track, there have been more serious and critical
vulnerabilities reported in Mozilla browsers
in the past six months than in
Internet Explorer. Firefox
1.0.7 is now available
to fix some of the most recent flaws, including a
highly critical URL shell command injection threat reported by Secunia on September 20.

This threat also affects Mozilla Thunderbird 1.x, but no
patch is available yet. Until Mozilla does release a patch, Secunia recommends not
using Thunderbird as your default mail reader.

Final word

OK, we all know that these periodic reports by security
companies are obviously promotional vehicles for their products and services,
but that doesn’t make them untrue. In fact, these reports from the front lines
are the only good way to gauge the relative increase in some kinds of threats,
showing us where to concentrate our security efforts. As such, they provide
valuable information. So, in addition to being good PR, they’re also a useful
public service.

Also watch for …

Multiple serious vulnerabilities have surfaced in the
Linksys WRT54G wireless router, which is never good news for a wireless access
point. The vendor has released patches to plug the five most serious holes, at
least one of which would allow an attacker to disable or alter security
settings. Here’s a list of the advisories:

In addition, Apple has patched Java
in OS X 10.3.9 (Panther) and OS X 10.4.2 (Tiger). Last week, the
software company also released 10 new security
. For more information on the Java flaws, see the following resources:

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.