Criminals attacked Twitter and European carbon exchange markets using a similar modus operandi: Multiple Bit Torrent sites used a common template that has been found to include a backdoor to harvest login ID and passwords. Similarly, bogus carbon exchange registries harvested other ID/PW. Criminals exploited users’ habits to re-use ID/PW combinations. A quarter million carbon credits worth €3m, and an unknown number of Twitter accounts were stolen. Vulnerability pimps were out in force in Washington DC as evidenced by interim security advice from Microsoft and Oracle to mitigate disclosures prior to patch availability. Verizon Business Security Solutions customers received the Risk Team’s assessment of the “APT” issue with our conclusion that it is not FUD, but it has been hyped. Finally, the Pushdo trojan was blamed for spurious SSL flows to 315 sites last weekend, but Trend Micro published research on Thursday declaring the malware involved was not Pushdo.

Researchers at the University of Cambridge found design errors in 3-D Secure, the technology behind Verified by Visa and MasterCard SecureCode. The short-term risk is negligible, but the impact on trust in these systems may be the most significant InfoSec risk issue of the week. Spring (in the Northern Hemisphere) arrived early with InfoSec-related studies sprouting like dandelions, but with no discernible impact on risk. Cyberattacks on companies in the energy sector almost displaced “Aurora” after a Christian Science Monitor report, but a report in Forbes about security companies profiting from the attack reports is of equal importance. Revenue spent on unnecessary security controls acquired purely to relieve anxiety is a risk in the InfoSec space and one that also must be avoided. Criminals enjoyed an unusually successful week compromising TechCrunch twice, 30 US Congress web sites, NASA, and causing mass infections at ThePlanet webhost. There does not appear to be a common cause for these intrusions, but SQL injection leads the list of suspected vulnerabilities.

The UK Security Breach Investigations Report 2010 has been released. It is the joint work of 7Safe, the University of Bedfordshire, SOCA (Serious & Organised Crime Agency) and the Metropolitan Police Service. Quite a lineup.

In similar fashion to our DBIR, it covers 62 confirmed breaches investigated by 7Safe’s security breach investigations team. A first glance shows some very interesting statistics that are comparable to what we’ve been publishing for the last few years. We’ll publish a more detailed comparison in the next few days. For now, we just wanted to make sure folks knew it was out there.

We commend all involved for sharing this data.

There seems to be a lot of chatter regarding what McAfee is calling “Operation Aurora”. This refers to attacks against a number of companies including Google, apparently in China or doing business in China, involving a previously undisclosed vulnerability in versions of Internet Explorer after 5.01 and before 8.

The original attacks are reported to be “targeted”, allegedly appearing in employee inboxes looking to have come from a fellow employee. These emails include a link which contains a web page that exploits the browser. McAfee states in their blog that initial exploitation results in the downloading of several pieces of malware that open a covert channel to command-and-control servers (now offline).

Our take is that this is just another browser vulnerability. According to public sources, there were 34 last year. Anti-virus companies have signatures available, and Microsoft is working on a patch. Been there, done that, got a T-shirt.

Read the rest of this entry »

Reports of targeted malicious code attacks on Google, Adobe, Dow and at least 31 others have boosted consumption of Tylenol, Tums and electricity among InfoSec professionals this week. However, the true impact on risk was simply confirmation of the evolution of malware we’ve all seen since the Storm worm three years ago. In 2005, the Haephrati’s used targeted malcode attacks while seeking proprietary information. Gonzalez and crew stole $9 million (US) from ATMs in 43 cities globally over a two day period in 2008. F-Secure reports 47% of the targeted attacks they intercepted in 2009 used PDF files. Adobe’s security bulletin is almost certainly the most significant risk development of the week. Plan, test and deploy that update. Microsoft and Oracle also released significant security bulletins that should be deployed by Verizon Business Cybertrust security enterprise customers.

A second attack in as many weeks targeted a large, well-resourced DNS array; on Wednesday, InterNexX a host for 2.9 million domains was attacked and became intermittently available.  This follows the attack on UltraDNS on 2009-12-23.  Criminal manipulation of search engine optimization resulted in office.microsoft.com’s search function yielding results that redirected users through office.microsoft.com to a site trying to seduce users to install a rogue anti-virus.  Millions of bank cards in Germany and Australia, Spam Assassin and Symantec Endpoint Protection failed after rolling from the year 2009 to 2010.  The Chairman of the FCC, the president of Iran, four government departments in the Philippines, on-line trading site collective2.com and the Pakistan National Response Center for Cybercrimes all fell victim to intrusions, mostly defacements.  These incidents notwithstanding, malicious, JavaScript-laden PDF files sent in targeted attacks remain the most significant risk for Verizon Business enterprise customers.  Fortunately, this coming Tuesday brings patches to Adobe Acrobat and Reader, Windows 2000, and “hundreds” of Oracle products.  Happy New Year!

Targeted attacks using the most-recent Adobe PDF vulnerability are the most significant issue in the risk environment this week for Verizon Business enterprise customers. The Waledac (aka Storm II) botnet went active last Wednesday evening with New Years messages leading to Trojans. On the previous Wednesday, 2009-12-23, someone attacked UltraDNS the service provider for Amazon (including their clouds) and Wal-Mart, but the attack was either short-lived or easily mitigated by the hoster. Metasploit released a new module for a configuration-induced vulnerability in Internet Information Services (IIS) but the population of vulnerable systems is probably small, and among enterprises almost certainly not a significant risk.

Reports surfaced this week of a previously unknown vulnerability in Adobe Acrobat and Reader in targeted attacks and one report of a “drive-by-download” from a “normal” web site. Once again, Acrobat and Reader and their interaction with JavaScript have resulted in compromises. However, the number of attacks is tiny, IDS and anti-virus products are being updated to further reduce a very low risk until patches become available on 2010-01-12. Twitter suffered a DNS hijacking attack on Friday, but the root cause is unclear. The Australian government is moving ahead with plans for nationwide network filtering, primarily of obscene content, but implementation is more than a year off. A new version of Ruby on Rails addresses vulnerabilities. Research in Motion suffered through a BlackBerry e-mail outage on Thursday. All in all, it was a relatively unremarkable week in Information Security Risk.

A “flash mob” effort threatens to attack AT&T’s wireless network later today. This is simply wrong. Nice people do not do this.

Professionals do not engage in this sort of behavior. The purported motivation or provocation is irrelevant. Deliberately trying to degrade the service one pays a provider for is contradictory, rude and possibly illegal. The Verizon Business Risk Team condemns this attack and any similar activities.

It’s that time of year again, the time when some things are simply inevitable. Things like fruitcake, maxed out credit cards, endless commercials about the “sale to end all sales”, and last, but not least, end of year predictions by everyone in the Security field who thinks they know something the rest of us do not. I don’t want to buck the trend or to be dubbed a scrooge, so I thought I would add my own two cents. My 2010 predictions are listed below, so give them a read and let me know your thoughts.

My 2010 predictions:

1.) Services will protect themselves: Facebook, Google, Twitter, TinyURL and the like will gain more control over criminal content. They will achieve this by either eradicating it or flagging it as bogus (or questionable), since not doing so seriously jeopardizes their business model. Those that do not will lose significant advertising revenue and go under (or away, or will be consumed by competitors).
Read the rest of this entry »

Microsoft and Adobe security bulletins and a surge in malicious PDF files lead the InfoSec issues relevant to risk in enterprises this week.  Two of this month’s Microsoft patches are in critical security infrastructure and so have received our 30-day recommendation, as has the Internet Explorer cumulative update.  The IE vulnerability disclosed via Bugtraq on 2009-11-20 was among those closed by the cumulative update to IE.  Adobe fixed seven vulnerabilities in Flash and AIR.  Rootkit-enabled Trojan horse code in PDF files are the flavor of the week from the Zeus gang.  Three developments in Governance risk may result in greater compliance costs for many businesses.

In the last day or so, we’ve seen several articles and web chatter on RAM scraping malware as described in our 2009 Data Breach Investigations Supplemental Report. Some of this discussion seems to be heading in a bit of a sensationalist direction. Others suggest that some of the information we present is inaccurate. We’d like to head this off with some quick Q&A for clarification.

Q: Why do we say RAM scrapers are “a fairly new form of malware”?
A: Because their occurrence is fairly new among breach investigations in our caseload. We aren’t suggesting the concept itself is new.

Q: Is this the end of the Internet or data security as we know it?
A: No, of course not.

Read the rest of this entry »

Verizon Business released the 2009 Data Breach Investigations Supplemental Report today. As you may know, the supplemental report addresses requests, issues, and questions that arise from our readers regarding the annual Data Breach Investigations Report (April, 2009). This year’s model is a catalogue of attacks that occurred most frequently in the data set used for the 2009 DBIR.

It is, in large part, a divergence from previous reports in that it provides a more in-depth and wider view of a data breach, and is not solely statistics driven. The aim of the report is to provide both technical personnel and managers with a one-stop compendium of pertinent details on the widespread threats within our caseload. It is our hope that readers can directly utilize the information provided to prepare for, detect and, ideally, prevent these types of attacks.

Read the rest of this entry »

The Advance Notification Services (ANS) from Microsoft for December’s security bulletins had the greatest impact on risk for Verizon Business customers. Adobe also made a pre-release notification for an update to Flash that took place on 2009-12-08. Time wasted worrying about newly announced vulnerabilities is a greater risk than the risk of attack on those bugs. Vulnerabilities in SSL VPN’s, Novell eDirectory and BlackBerry PDF service are all unlikely to become attack targets. Their contributions to infrastructure are the only reasons to include them in even routine systems maintenance programs. A handful of isolated events in the governance risk space may become significant if they set new standards for customer companies.

Availability failures dominate risk developments this week.  The regional blackout in  Brazil at the end of last week’s report occurred on Tuesday, 9 November.  First reports pointed to a thunderstorm, but this week technical details emerged suggesting an electronic attack was at least possibly to blame.  A router configuration error resulted in a nationwide disruption of air traffic in the US on 19 November. These events contribute to the crescendo of cyber warfare and cyber terrorism posturing contemporaneous to development of the US Federal fiscal year 2011 budget. Early reports of data breaches in the US and Spain indicate millions of records in multiple countries may have been compromised.