back to article 2014 in infosec: Spammers sneak small botnets under the wire, Java is dull

Cisco's annual report on the state of global cybersecurity claims spammers just won't die and are using new tactics to avoid detection by filters; malware programmers are abandoning exploiting Java; and there's a possible silver cloud in the Sony Pictures hacking storm. The networking giant saw malware-carrying spam up 250 per …

  1. Destroy All Monsters Silver badge
    Paris Hilton

    Flash and Internet Explorer were popular targets, too, but there's an increasing focus on the Apache Struts Framework, Cisco warned, and Silverlight attacks were up 200 per cent on the year, the report claimed.

    "Apache Struts" sounds early 00-s levels of ancient and isn't "Silverlight" dead as having been branded with Microsoft Mark Of Undevelopment?

    1. thames

      Apache Struts is officially EOL with no more support and users are supposed to migrate to something else. It's an ex-Parrot. There will no doubt be some people who have existing systems which still use it, but the reason it died was that nobody was interested in it enough anymore to maintain it. To be honest though, I've never heard of anyone who has actually used it.

      The current version of Silverlight however is supposedly supported up to 2021, and Microsoft's official web site is still saying people should develop new applications with it. So. it's still "alive" in that sense, even if it has the mark of the undead on it.

      However, I suspect that Silverlight will be the more serous problem, as Struts is server-side stuff, while Silverlight is a client-side browser plug-in, which is the favourite haunt of virus writers and the source of much of Java's woes. I won't be surprised if Dotnet is about to get some of the virus love via Silverlight that afflicted Java until recently. Fortunately, hardly anyone used Silverlight, so it's a lot easier to get rid of.

    2. Captain Scarlet Silver badge

      I thought Silverlight was dead but I still see it on lots of machines along with Java and the Ask Jeeves toolbar.

      1. Daniel B.

        Java

        The main difference being that Java is actually still used in a lot of stuff. Some tax revenue services in several countries require client-side Java, thus you will see a lot of Java everywhere. That's good, as there's also an incentive to plug Java holes. Meanwhile, Silverlight is dying and not even MS can be arsed on fixing that. Reminds me of that other dying tech, ActiveX.

  2. Daniel B.
    Boffin

    So Java no longer the main attack vector?

    Interesting. It seems that Oracle's focus on fixing Java's security is finally working. Meanwhile, it's now "secure" .NET the one growing holes. Okay, maybe they're targeting Silverlight because that one's suffering a slow, silent death these days...

    1. Irongut

      Re: So Java no longer the main attack vector?

      A reduction in Java attacks has nothing to do with Oracle making it more secure and everythign to do with no one installing it. These days you only install Java if a user actually needs it and unless you've been writing LOB apps in Java those users are few and far between.

      If MS would stop Windows Update foisting Silverlight on people who don't need it (almost everyone) then it would be less of a problem too.

  3. Shannon Jacobs
    Holmes

    Would you like to help break the spammers business models?

    Apparently I'm the only such person? Really? Don't you think that most people are basically good and if you help them do good things, then they will? Do you think most people want spam?

    Wasting the keystrokes again, but I REALLY wish that one of the major email services would get serious about putting the spammers out of business. Playing patty-cake with filters is NOT a solution, and it is obvious the spammers don't mind at all.

    However, have you noticed that one category of spam has mostly disappeared? The so-called powers-that-be decided to break the business model of the pump-and-dump stock scams, and now you hardly ever see that kind of spam. Not because we hate it as much as other spam, but only because several research papers revealed that the spammers were essentially printing money, and the powers-that-be could not tolerate that, so they broke the spammers' business model.

    We could, if the powers-that-google-or-Yahoo-or-MS wanted to, do the same thing for every other category of spam. I'd be glad to help out by donating a bit of my time to analyzing the spam and helping recommend the best countermeasures--but I can't. Especially in the case of the google, it is clear that they are too EVIL to care. If you study the google's anti-spam measures, all you can say is "pitiful", but the spammers are happy.

    What we need is a fairly simple iterative analysis and targeting tool for spam. At each round of analysis or targeting, the wannabe spam fighter would confirm or correct the analysis and countermeasures. Of course there should always be "Other" options, because the spammers are also sickly imaginative and there will always be new scams coming up.

    I'm not saying we can cure the spammers or make them into decent human beings. I'm just saying we can reduce their profits and drive them under less visible rocks.

    Remember, the number of people who HATE spam is huge, and the sucker who feed the spammers are really scarce (and stupid). If only it were easier for the large number of people to protect the suckers from themselves. (Amazingly enough, that would even protect the corporate victims from the abuse of their supposedly valuable reputations, which is the part that amazes me most. Why does the Google keep punching themselves in the face?)

  4. Anonymous Coward
    Anonymous Coward

    Some wishful thinking on Cisco part

    The reason why Java attacks are down, is b/c many browser now actively blacklist Java runtime by default. Mozilla blocks outdated Java plugins by default, and ask you to click to activate it every instance if it is updated. Chrome the same thing.

  5. Mike 16 Silver badge

    Silverlight

    Doesn't Netflix still default to Silverlight? Not that anybody would ever think of targeting Netflix users, but unlike Java plugins that (as noted above) are typically disabled, I'd expect that Silverlight is enabled by default on a lot of computers.

  6. Michael Wojcik Silver badge

    Gah

    OpenSSL's Heartbleed and Shellshock bugs

    Shellshock has nothing to do with OpenSSL.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like