Operation n

Half of malicious sites are tied to just 10 Chinese networks.

A classic trick is to embed a script or text in a file with different extension. For example, saving a text file as jpg. When the browser comes to look it, it will likely try to resolve it as jpg. But there is a plethora of extensions out there. Some extensions activate applications (e.g. acrobat, windows media player), which read data in their own special way.
For Advanced Systems Format (ASF), the format uses combination of media and text streams. URLs can be embedded in a malicious ASF files, which point to malware. Anti-virus software should pick up. But there should really be checks on the contents on the ASF file itself, which should stop surfing off to the Internet. A sans.org reader wrote a simple tool for this.

A staggering 12000 laptops are lost or stolen every week at US airports. There is every chance that at least one has some form of confidential information on it or worse that lost laptop holds the only copy of certain corporate information. This is demonstrated by the Daily Mail where a laptop was lost that contained employee information including names, addresses, bank accounts and sort codes. Surprise surprise, no mention of it on the Daily Mail website but they do happily mention the Ministry of Defense losing 3 laptops and that confidential home office cd found in a laptop sold on ebay. Talk about the pot calling the kettle black.

A growing technology is VOIP and there are a number of things, you can look for. Ideally, your voice network should be segregated from your data network using VLANs. Traditional phone/voicemail attacks may be used. There are two useful blogs that you may want to look into if you want to find out more, voipsecurityblog and Nortel.

This indirectly concerns the IT security industry but in the UK, there are less jobs going around for computer science graduates as 10% are unemployed after graduation. This seems a little bit strange considering in there is a skills shortage and university intake numbers are dropping.

So why aren’t companies hiring IT graduates? That’s a good question! Rightly or wrongly, companies are generally looking for guys to hit the floor running and be as productive as soon as possible. Training is expensive. I was just flicking through the SANS institute site and it’s not unheard of for a 5-day course to cost 3000 pounds. Training is also time-consuming and some companies may not have the luxury of time of having someone in-house train the kids up to speed.

The ideal solution is to introduce more industry-supported degrees. But once again that involved costs and these days with the credit crunch, cutbacks and job security worries, I wouldn’t be surprised that there is a major reluctance.