17 Day's before Christmas, so let us be the first one to greet you Happy Holidays!!!!

It's quite a relief to hear that the great recession is over. Or is it really? 2009 has been a tough one for all of us and though it may take some time to recuperate from the economic meltdown, surviving it is probably one of the good reasons to celebrate this year end.

This year, QUANTIQ have adopted several technologies to serve our customers security requirements and to address the new and evolving threats that could potentially affect our clients. List of products we have add in to our suite of solutions includes:

1. SaaS Web Security - Cloud computing emerged as an important tecnology against constantly evolving malware threats. SaaS, a type of cloud computing delivers a single application through the browser to thousands of customers using multi-tenant architecture. Zscaler, industry-first multi-tenant SaaS Security Service enable any end-user, from any place, using any device a rich Internet experience while enforcing security and business policy.

2. Endpoint Security - We heard a lot of pains from our customers about growing and rapidly evolving set of security threats including data breaches in endpoints. And it wasn't difficult for us to choose Lumension and thats because of their award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection and Reporting and Compliance offerings.

3. VoIP and Unified Communications Security - VoIP and Unified communications promises many benefits, however moving the phone service to an IP network can expose that service to a number of threats. Sipera, leader in Unified Communications security has spent over five years defining UC security through its extensive knowledge and expertise of security, VoIP, call control and telephony protocols Sipera's purpose-built UC security appliance protects against signaling and media vulnerabilities while maintaining the highest quality of service (QoS).

4. Event Data Warehouse - Traditional data management systems were built for transactional data not event data. Event data is the fastest growing data which includes network, security and database logs, physical access systems, enterprise applications, bank transactions, telco call records, internet traffic detail, and manufacturing sensor data. Attempts to use traditional data management systems to manage event data often lead to dramatically higher costs and complexity. More than 400 customers have deployed SenSage solutions to reduce security, fraud and compliance risks at a fraction of the cost of traditional data warehouse and log management solutions.

5. Managed DDoS Protection - Several politically motivated DDoS Attacks happened this year in social medias, DNS and web service providers. With over 50, 000 distinct attacks per week, denial of service has become the most costly form of cyber-crime business face today. This became the driving force for us to bring the world class DDoS mitigation service by Prolexic in our line of solutions. Prolexic was the first company to establish global scubbing centers to stop DDoS attacks in the clouds with unique filtering techniques and powerful DDoS detection and protection system.

6. Access Control and Audit for High Risk Users - The need for companies to remotely manage and audit the activities of vendors, IT administrators, application developers and technical contractors to secure business-critical assets marks the birth of Xceedium. Gatekeeper, Xceediums award winning appliance is used to control, contain, track user access, reduce outsourcing risks and comply with industry standards and internal policy requirements.

7. Smartphone Protection - Mobile threats and vulnerabilities grew along with the popularity of Blackberry, iPhones, and other smartphones. Full-time connections via email, VPN and enterprise applications combined with local storage of data on smartphones increase the potential for exposure of sensitive, confidential and legally protected data. GuardianEdge Smartphone Protection safeguards organizations from the risks of exposure of legally protected data, loss of critical intellectual property and non-compliance with business critical regulations with an enterprise solution to both data protection and device security.

Seasons Greetings!

Kwek Hong Sin
Managing Director
Quantiq Internationa Pte Ltd

-

Before we totally leave this year, let's travel back since the beginning of 2009, from the most famous virus to the riskiest high-profile celebrity to see what are the major security threats and vulnerabilities that made it to the headline.

- Conficker emerged on the last quarter of 2008 and continued to infect millions of computers during Q1 of 2009.

- New way for attackers to phish for credentials without the need to send emails or trick users into visiting a malicious website by compromising a legitimate website with malicious JavaScript one famous website infected was Paris Hilton's where visitors received pop-up box that informed them they needed to "update" their systems. The dialogue box gave users the option to choose “cancel” or “OK," but any click downloaded the malware

- Leading credit card processor company suffered from a massive data breach because of data-capturing malware loaded in the systems. Visa has removed another payment processor from being PCI compliant because of data breach.

- Blended attacks jumped to nearly five percent in spam mails by leveraging on social engineering tactics to imitate legitimate emails, such as shipping tracking forms and fake news stories which redirect users to malicious links.

- New style DNS amplification used for powerful DDoS attacks which uses a very short query asking simple the the name of the servers. Domain name registrar and web hosting provider GoDaddy.com, experienced DDoS attack that aimed their hosting servers for the first time.

- Vulnerability found on BlackBerry Application Web Loader an ActiveX control that is typically started on a web page where attackers can execute arbitrary code one they convince a user to view a specially crafted HTML document.

- Online game password stealers (PWS) grew that steals gaming credentials either through keylogging or by injecting itself into game clients and reading memory.

- Insider data theft exacerbated because of economic crisis

- Web applications vulnerabilities increased to 80%. Some of the web application vulnerabilities, for example, were in Adobe, SAP, Microsoft, Mozilla, Sun, Apache, and Oracle products.

- Virtumundo, an adware program that displays pop-up advertisements on the desktop and also downloads other software from various remote server has found a new way to infect computers via USB drive or other removable devices.

- Numerous variants of Koobface propagates on social networking sites, such as Facebook and MySpace, through socially engineered messages sent to those on an infected user's “friend” list.

- DDos attacks hit major web service providers including DNS provider NeuStar which affected Amazon's S3 cloud computing service, Salesforce.com. IMDB.com and Petco.com. Register.com, a major domain regstrar and web hosting company, was also affected by DDoS attacks affecting its DNS name servers. UltraDNS service was also hit by a huge volume of completely legitimate-looing DNS queries.

- Twitter was struck by a particularly nasty cross-site scripting worm that spreads links to a supposed Twitter copycat site called StalkDaily[dot]com by exploiting a cross-site scripting (XSS) vulnerability and infecting an unknown number of Twitter profiles.

- Time has come for Mac users as bot herders have found a way to infest Mac computers via pirated softwares.

- Swine flu causes outbreak of fraud through spam mail which lures readers to go to a pharmacy site by using interesting subjects such as celebrity, Salma Hayek affected by swine flu. Spam in Q2 went up to 53% from the first quarter of the year.

- Adobe Acrobat / Adobe Reader exploits spike to 48% which makes it on top of unsecured applications according to Health Check statistics. Adobe released update for the server-side security flaw.

- Cybercriminals distributed versions of Windows 7 release candidate (RC) that contain malware designed to infect a customer's PC

- Insider threats: Auditor of California Water Company steals $9M and fled the country. Former teller in Bank of America nabbed for stealing bank customer identities in a scheme to fraudulently withdraw bank funds.

- President of the United States, Barack Obama, announced the creation of a new White House office to be led by a Cybersecurity Coordinator.

- China has mandated that all computers sold in China, including imports, will need to be pre-installed with a software application called "Green Dam Youth Escort". The software's intended purpose is to filter pornographic or violent material. Green Dam is designed for Microsoft Windows.

- Celebrity exploits: Michael Jackson's death exploited by cybercriminals and Britney Spears fake death posted on her hacked Twitpic account. Farrah Fawcett's death also propagated in spams.

- iPhone hacker reveals SMS vulnerability which reportedly can be used by an attacker to take control of the device to perform actions such as eavesdropping on conversations or tracking down a user's location through the phone's GPS capability

- DDoS attacks deepens: All fingers point to North Korea for cyberattacks that crippled some U.S. and South Korean websites. After some investigation, new evidence shows that the attacks trace back to a "master server" in the U.K.

- ID theft: An AT&T temp staff and two others involved steals personal information from 2,100 employee from the telecom company and using some of the stolen confidential data for applying in "payday loans".

- Report: Company's data has been attacked in the past Q1 and Q2 and CEOs are less aware of data breaches that have occured compared to other C-level executives.

- Twitter sensitive informations stored in Google Apps account hacked that includes financial reports and plans for a reality show based on the popular microblogging service. The hacker who figured out the personal email password of the Twitter employee used it to access the workers Google Apps account.

- Payment Card Industry Data Security Standard (PCI DSS) has begun issuing 33-page guidance documents that merchants can use to help them better understand and adhere to payment security standards. Among its goals is to ensure that the appropriate level of encryption is used for retailers using Wi-FI network to transmit payment card data.

- United States reported to be No. 1 spam sender with 15.6 percent of junk mail traffic followed by Brazil with 11.3 percent and Turkey at 5.2 percent.

- Two new rules mandated requiring health care organizations and otherentities that interact with personal health records, to issue notifications in the event of a data breach. This regulations must notify individuals whose information has been breached, when the breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to the HHS (Health and Human Services) annually.

- 56,000 websites infected by mass SQL injection attack with malicious IFRAME that loads exploits from several attacker-owned domains. The attack continued to scale up infecting more than 210, 000 web pages.

- Skype snooping trojan released that has the ability to snoop on phone calls over the popular voice over IP (VoIP) program Skype.

- Data Breach: Industrial manufacturing giant DuPont has sued an employee it claims was planning to smuggle trade secrets to China that he downloaded from his company-issued laptop to an external hard drive.

- Cloud Security is becoming popular due to its cost saving benefits. Other factors include scalibility, reliability, functionality and lessen numerous security products to manage.

- U.S. Army Special Forces documents leaked to P2P (peer-to-peer) network containing the names, Social Security numbers, home phone numbers, home addresses of 463 soldiers and names and ages of soldier's spouses and children from the Third Special Forces group, based out of Fort Bragg, N.C. The U.S. House Energy and Commerce Committee has passed a bill intended to prevent inadvertent disclosure of information on peer-to-peer (P2P) file-sharing programs.

- Password-stealing trojan, Zeus, targets corporate email users by tricking them into believing they have to update their webmail settings on a link that looks like an authentic Outlook Web Access site. Authorities in the U.K have charged two 20-year-olds in mid-November for the distribution of this trojan.

- Avalanche, named as one of the most prolific phising group of 2009 that spoofed more than 30 financial institutions, some online services and job search companies and was responsible for 24 percent of phishing attacks during the first half of the year.

- Windows 7 launched as a replacement for Windows Vista and Windows XP, with a number of improved security features, including a more user-friendly User Account Control (UAC) and the extension of encryption capabilities to USB flash drives and external hard drives.

- Gumblar attacks, the backdoor script being used to infect legitimate websites caused some WordPress blogs and other PHP-based sites to crash.

- SSH-enabled Jailbroken iPhone, can open holes for attackers to gain root access to the devices if they did not change the default password for SSH. Attackers perpetrate the theft by installing a tool on their computer.

- Firefox accounted for almost half of all browser vulnerabilities in the first six months of 2009 while Apple's Safari had the dubious distinction of coming in second. Microsoft's Internet Explorer (IE) was third, while Opera Software's flagship browser took fourth place.

- RIM patches Blackberry Attachment Service vulnerability that could allow attacker to execute arbitrary code.

Disclaimer: All the informations from these reports were gathered from different media source and has been summarized exclusively for our newsletter subscribers.