By Byron Acohido, USA TODAY
Two cybersecurity surveys released Monday underscore an ominous shift in Web intrusions: They are becoming more stealthy and targeted -- and honed to make a quick buck.
Profit-minded intruders are increasingly carrying out "zero-day" attacks that exploit new security vulnerabilities on the same day such flaws become generally known, weeks before patches are available, according to The SANS Institute security training center.
Security experts say there is no protection against such intrusions. "A zero-day attack takes you through the M&M shell you have around your computer into the soft chewy center," says Scott Carpenter, security lab director at Secure Elements. "It bypasses all the security you've put in place."
The pattern breaks from the hacker tradition of swamping the Internet with nuisance viruses mainly for bragging rights. "We're losing the tsunami effect and instead getting wave after wave of smaller, more intense attacks to get on your machine and steal useful information," says Vincent Weafer, senior director of Symantec Security Response.
Meanwhile, identity data held by corporations and government agencies is being widely exposed on the Web by unsuspecting insiders, according to a survey of 100 organizations by security firm Reconnex. "For the most part, it's good people doing bad things unintentionally," says Reconnex CEO John Peters. "If the data does get into the wrong hands, it could be damaging."
Among key survey findings:
. Insider exposure. An estimated 78% of companies expose Social Security numbers in a way that the data can be leaked, while 40% of companies expose credit card numbers, Reconnex says.
. Applications targeted. Attackers have begun probing software programs, such as Apple QuickTime/iTunes, Windows Media Player and Macromedia Flash Player for security holes. They've also targeted database-storage applications, such as Oracle and Veritas Backup, SANS says.
. Browsers under siege. In recent months, Apple, long thought immune to intruders, has issued two patches to quell attacks of its Safari Web browser; Microsoft has had to scramble to patch three Internet Explorer zero-day attacks; and Firefox has been patched 11 times, SANS says.
Copyright 2006 USA TODAY, a division of Gannett Co. Inc.
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at