When it comes to security in IT, not a week goes by without a major discovery. We look at several stories that have cropped up recently to reveal the ongoing challenges invlved in protecting systems and data.

When it comes to security in IT, not a week goes by without a major discovery.

Whether it's the first sightings of a serious iPhone exploit or a new Captcha-conquering bot.

To illustrate this, I've decide to take a look at several of stories that have cropped up.

Chrome, the last browser standing at Pwn2Own

Results of TippingPoint's CanSecWest hacking contest, Pwn2Own, once again demonstrated that building a perfectly secure internet browser is very difficult.

Even though Mozilla and Apple rushed out dozens of last-minute security patches before the big contest, Firefox, Safari and Internet Explorer 8 all quickly fell.

A Safari bug even led to the first serious documented iPhone 3G exploit.

The only browser left standing was Google's Chrome. Many observers attributed this success to Chrome's aggressive security model (which is truly impressive in many ways).

But that would ignore the fact that Chrome has had at least 18 documented vulnerabilities in the past three months alone - nearly one-third of which would enable a malicious hacker to compromise a system or bypass access controls.

Those 18 vulnerabilities in Chrome followed 16 others reported during the three prior months - 60 percent of which could lead to system compromise or security control bypass.

This is not to say that Google Chrome isn't a secure browser. It's just that all the popular browsers seem to have their imperfections over time.

Personally, I'd love to see the Opera browser invited to participate in the contest, especially because it has always been a major player in the smartphone space.

Malicious ads spawning from 'trusted' sites

Antimalware company Avast reported that the majority of malicious ads (those containing malware or malicious scripts) are propagated by some of the most popular and trusted services, such as Google and Yahoo.

These ad services provide advertising content to tens of thousands of sites, including the ones that most people consider to be legitimate, and unsuspecting visitors can easily end up infected.

This isn't surprising as I've been talking about malicious ads for over two years.

This is just one more bit of research that proves that most people are getting exploited by visiting legitimate websites.

Heck, a pay-for-view porn site may actually be one of the safer places to visit. Banner ad companies need to do a better job of policing their own services and content.

NEXT PAGE: Bot solves Captchas using audio

  1. We look at the ongoing challenges of protecting systems and data
  2. Bot solves Captchas using audio
  3. US setting sites on countries harbouring cyber criminals

When it comes to security in IT, not a week goes by without a major discovery. We look at several stories that have cropped up recently to reveal the ongoing challenges invlved in protecting systems and data.

Bot solves Captchas using audio

Most popular webmail sites require new users to answer a Captcha challenge (which requires typing in obscured letters to validate) to activate a new address.

This is to stop malicious hackers and spammers from using the free service to send unauthorised content.

Spammers, in particular, have invented all sorts of ways to get around the Captchas.

Initially, they built very accurate OCR engines to answer the Captchas. Email vendors responded by making the text ever more difficult for OCR to identify.

In fact, it's so bad now that even though I have 20/20 vision, I often struggle to figure out which letter I should be typing in.

To meet the needs of the visually impaired, vendors now allow users to listen to an audio clip of the Captcha characters they need to retype.

In response, a new malware creation has emerged. According to The Register and confirmed by several antivirus companies, a new spam bot has built-in capabilities to listen to the audio files and simulate typing in the answer.

The bot is apparently quite accurate - a point goes to the spammers.

This approach is now my 'favourite' Captcha-bypassing technique. Before, it was spammers hiring people (often in third-world countries) to bypass the Captchas all day long.

Convicted hacker gets to keep most of what he stole

In a disappointing development, judges continue to hand out astoundingly insignificant punishment for cyber criminals.

While I'll admit I don't know all the facts in this popular case, it seems to me that a key player - who wrote the exploit code for one of the world's biggest hacks - got away with just a delicate slap on the wrist.

Twenty-nine-year-old Jeremy Jethro received $60,000 (£39,600) for writing exploit code that he gave to Albert Gonzales.
As punishment for his crime, Jethro got three years' probation and a $10,000 (£6,600) fine.

Gonzales is probably the most popular and well-known American hacker since Kevin Mitnick.

He has been charged with multiple crimes, including stealing 90 million credit card numbers and information from at least half a dozen of the biggest stores in the world. That's only what the authorities know about.

Jethro has, of course, found religion after being caught. That's all great. What I don't understand is why he doesn't even have to pay back the entire $60,000, not to mention the prosecution and court costs that it took to sentence him.

Help rob a physical bank or store and you can be assured you'll spend time in prison and have to pay back all of your ill-gotten gains. Why don't the same rules apply in cyber space?

NEXT PAGE: US setting sites on countries harbouring cyber criminals

  1. We look at the ongoing challenges of protecting systems and data
  2. Bot solves Captchas using audio
  3. US setting sites on countries harbouring cyber criminals

When it comes to security in IT, not a week goes by without a major discovery. We look at several stories that have cropped up recently to reveal the ongoing challenges invlved in protecting systems and data.

US setting sites on countries harbouring cyber criminals

The US is attempting to pass a law that would require it to identify countries providing cyber crime safe havens and institute trading penalties.

This isn't exactly new, as I know the US Bush administration threatened something similar with Nigeria over all the Nigerian spam letters - although I don't know the eventual outcome of that particular instance. Meanwhile, Nigerian-orientated spam seems to continue unabated.

Still, I'm happy to see this proposed legislation.

Countries need to be held accountable for permitting bad internet behaviour to continue without repercussions.

I'm not talking about taking punitive actions against countries that appear to be the source of large amounts of cyber crime but we do need to make sure that countries at least have laws that make cyber crime illegal and assist other victim countries in the prosecution where evidence has been legally presented.

Unfortunately, if the past is any indicator, this type of bill will probably take years to pass - and when it does, it will be significantly watered down. Hopefully, history won't repeat itself.

  1. We look at the ongoing challenges of protecting systems and data
  2. Bot solves Captchas using audio
  3. US setting sites on countries harbouring cyber criminals