 |
The VeriSign Security Review
|
December 2005
As 2005 draws to an end, enterprise security professionals will look
back and enjoy a small sigh of relief before getting ready to defend
the IT infrastructure in the New Year.
In this issue, we look at the latest Sober outbreak as well as observe
a few trends for you to reflect on in 2006. We also celebrate VeriSign’s
growth and expansion in Europe, as our U.K. staff moves to a new location.
We wish you a happy holiday season!
In this issue:
Hot Topics
Standards and Regulations
News from VeriSign
Ask a VeriSign
Consultant
Security Events
Hot Topics
Sober Worm Makes Sobering Sweep
A mass-mailing worm that first appeared two
years ago and intermittently since then has reappeared with formidable
sophistication. Variants of the Sober worm were launched around November
13, 2005 in spam emails purporting to originate from the FBI, the CIA,
the German Bundeskriminalamt, the U.K. National Hi-Tech Crime Unit,
and even Paris Hilton. At its peak, the storm of attacks accounted for
one of every 13 emails exchanged.
Intelligence from VeriSign® iDefense Malcode
Labs suggests that these highly coordinated attacks were launched from
Germany or another German-speaking country. Infected computers are possibly
being manipulated for “hacktivist” political purposes, as attacks were
timed around German political affairs. The image below depicts the progression
of the recent Sober worm attacks.
The latest attack was launched on November
21, 2005, the day Germany inaugurated its first woman Chancellor, Angela
Merkel, and it does not appear to be the last wave. An in-depth code
analysis by VeriSign iDefense Malcode Labs revealed that the Sober.AC
variant contains a timed trigger which allows it to download other binary
components. The date of this trigger is January 5th of 2006, the anniversary
of the Nazi party. In addition, the next triggered date – Jan. 6, 2005
– is timed with the "Drei-Koenigs-Treffen" conventions of
the major German political parties.
To learn more about the VeriSign iDefense analysis,
visit http://www.idefense.com.
Back
to Top
November Threat Summary
Sober variants accounted for the month’s biggest
attacks, yet other threats are already looming large. Variants of the
infamous MyTob worm surfaced as MyTob.LY and FanBot.A. MyTob.LY is capable
of TCP SYN attack on a Chinese state television Web site. FanBot.A has
recently sent itself to hundreds of clients via Skype emails. It is
capable of spreading through peer-to-peer share folders, PnP (MS05-039)
exploitation, and it is also capable of stopping and disabling Microsoft®
Windows® Firewall and Windows updates.
Microsoft released a patch for its critical
MS05-053 vulnerability. Affecting most current versions of Microsoft®
Windows, including XP SP2 and Server 2003, the problem lies in the way
the operating system handles Windows Metafile images. Likely to be used
in targeted attacks, the flaw is exploited by convincing a user to open
a malformed .wmf or .emf file, or preview it using the Microsoft® Outlook
preview pane. If successfully exploited, an intruder would be able to
execute code on the affected machine.
A Microsoft® Internet Explorer vulnerability
that could be used for denial-of-service attacks is now upgraded to
“Extremely Critical” because, a U.K. firm discovered, it allows for
remote code execution. The flaw is an example of IE incorrectly initializing
certain objects, and can be exploited when the JavaScript "Windows()"
command is used in combination with the "" event. For more
information, see “Unpatched
IE Bug Now Extremely Critical” on TechWeb.com.
Back
to Top
Shift in Attack Vectors
The 2005 SANS Top 20 List is now in circulation,
and it indicates that applications and network devices are increasingly
being targeted in cyber attacks, rather than operating systems and server
software. Allen Paller, director of research for the SANS Institute,
says that there has been “a 90-degree turn-around” in attacks. Acknowledging
that most enterprises have adopted methods to automatically patch the
“commonly attacked” systems, he points out that application patching
is not nearly as prevalent, making it almost impossible to combat these
new types of attacks. Client-side applications, backup, and anti-virus
software and network devices are now being recognized as primary targets
for compromise. Compiled annually since 2000, this is the first year
that network devices have made the list, with Cisco flaws taking three
of the 20 slots. Complete details of the report are available at the SANS
Web site.
Back
to Top
Routers: The Next Big Target
The Cisco Systems® Internetwork Operating System
(IOS) has surpassed the Microsoft® Windows operating system as the biggest
target for hackers, because IOS not only controls the Internet but also
network routers that could allow hackers to get inside networks and
perhaps systems connected to them. The IOS is complex, with various
versions in differing states of upgrade, so network administrators and
security professionals will face an extremely difficult time trying
to protect their networks while using IOS. Cisco recently announced
a "heap overflow" vulnerability in IOS that could lead to
denial of service exploits, but the company is not aware of any "active
exploitation" of the vulnerability and has provided proper patches
to protect the system. Much of Cisco's security frustrations lie in
users not willing to implement security upgrades due to the amount of
required time and effort. Forrester Research analyst Robert Whiteley
already refers to IOS as "monolithic and bloated" with each
new upgrade, such as the upcoming IOS version 12.4(4)T, adding to the
system's size. Cisco is taking to heart the complexity and size issue
of IOS and has released IOS XR, a scaled-down version of IOS meant for
the Cisco Systems® CRS-1 Carrier Routing System. Internet service provider
NetLink Services Internet security specialist George Roettger predicts
a large-scale IOS attack within the next year due to increased awareness
of IOS vulnerabilities among hackers. Meanwhile, Cisco's network-security
business, which had more than $1 billion in revenue in 2004, continues
to grow, and Cisco users and the general public have yet to lose faith
in the company's ability to protect their networks.
http://www.informationweek.com/story/showArticle.jhtml?articleID=173402976
Back
to Top
New Study Details Phishing
Tactics
The Identity Theft Security Council released
a comprehensive study on phishing. The study, entitled Online Identity
Theft: Phishing Technology, Chokepoints and Countermeasures, is sponsored
by the Department of Homeland Security and is published on the Antiphishing.org
Web site. It examines the information flow in phishing attacks, technologies
used by phishers, as well as countermeasures.
In an illegal industry where billions are at
stake, phishers can afford to apply technological and social engineering
tactics. This study is a timely dissection of phishing techniques including
deceptive attacks, in which users are tricked by fraudulent messages
into giving out information; malware attacks, in which malicious software
causes data compromises; and DNS-based attacks, in which the lookup
of host names is altered to send users to a fraudulent server. Read
the full report at
http://www.antiphishing.org/Phishing-dhs-report.pdf.
Back
to Top
Scottrade Breach
Scottrade, one of the largest online brokerage
firms has re-issued an announcement to its customers regarding a recent
data breach. The new announcement clarifies that none of Scottrade’s
systems were directly compromised. Rather, systems of their eCheck Secure
Service Provider, Troy Group, Inc. are the ones from which customer
private information may have been stolen. A review of press releases
from the Troy Group does not provide any details of the compromise,
nor information regarding the extent of the data at risk. This begs
the question as to whether or not Scottrade is the only eCheck Secure
Service customer affected, or if others may also be involved. Scottrade’s
updated announcement appears here:
http://www.scottrade.com/security/
Information released by the Troy Group:
http://www.troygroup.com/AboutTROY/ViewPressRelease.asp?PRelId=68
A summary of data breaches and related information:
http://www.consumeraffairs.com/news04/2005/data_breaches_business.html
Back
to Top
Standards and
Regulations
Fed Adopts New Flaw-Ranking
Standard
The National Institute of Standards and Technology
(NIST) completed converting the National Vulnerability Database to the
new Common
Vulnerability Scoring System, standardizing the severity
scores of more than 13,000 known vulnerabilities.
Managed by NIST and funded through the Department
of Homeland Security, the National Vulnerability Database receives nearly
1.5 million hits a month and adds an average of 16 new vulnerabilities
per day.
An industry initiative aimed at standardizing
the severity rankings of security flaws, the Common Vulnerability Scoring
System gives vulnerabilities a base score of severity, a temporal score
that measures the current danger -- which could be lessened by a widely
available patch, for example -- and an environmental score that measures
an organization's reliance on the vulnerable systems.
For an industry in which severity ranking has
been a complex, fragmented, and liability-ridden exercise, a common
standard is welcome by many, and converting the National Vulnerability
Database is a significant endorsement of the Common Vulnerability Scoring
System. The VeriSign® iDefense Intelligence Service is also among the
first to adopt the system and will be implementing it in the first quarter
of 2006.
“A standardized view of vulnerability severity
allows security professionals to prioritize their workloads and quickly
see when those priorities have changed,” says Joseph Payne, president
of VeriSign iDefense. “To be most effective, CVSS needs the most accurate
and current data possible. The best-in-class vulnerability data available
in iDefense Intelligence Reports will give our customers the most effective
implementation of CVSS possible.”
Back
to Top
Federal Data Security Law
A draft US law to increase the security and
privacy of personal information held by companies was approved by the
influential Senate Judiciary Committee. The Personal Data Privacy and
Security Act of 2005 includes a duty to disclose security breaches.
The bill, sponsored by Senators Arlen Specter and Patrick Leahy, aims
to ensure that companies with databases containing personal information
on more than 10,000 U.S. citizens establish and implement data privacy
and security programs and vet third-party contractors hired to process
data. It imposes stiff monetary and criminal penalties for breaching
said data. The draft will now move forward to a full Senate hearing.
Back
to Top
News from VeriSign
Password Thefts More Active
Than Ever
VeriSign iDefense Security Intelligence Services
revealed a 65 percent increase in key-logging activities. By the end
of 2005, hackers will have unleashed a record-setting 6,191 programs
called keyloggers, up from 3,753 in 2004.
Keyloggers are silently installed to record
user’s key strokes. Largely distributed by organized cyber theft groups,
they are typically packaged with phishing emails or spyware and often
elude traditional security defenses such as firewalls and anti-virus
software.
Worth noting is the fast pace of keylogger
growth – over twenty fold over the last five years.
Back
to Top
Airspan Uses VeriSign’s Custom
Device Certificate Service for 802.16 WiMAX Products
Airspan Networks has selected the VeriSign®
Custom Device Certificate Service to help operators ensure broadband
wireless service security. Airspan will leverage VeriSign’s highly-scalable
intelligent infrastructure services to generate digital certificates
in volumes adjusted to their production schedule to keep up with varying
levels of customer demand. Additionally, VeriSign will provide Airspan
with the expertise to integrate the certificate provisioning process
with Airspan’s existing manufacturing operations, providing a more efficient
means to generate certificates. Read the press release for more
information.
Back
to Top
VeriSign Opens New London Offices
Christmas comes early for VeriSign’s U.K. office
as it moves to a new building in west London between December 10th and
11th. The move underscores VeriSign's plans for rapid expansion in the
U.K., as Souheil Badran, vice president of Europe, Middle East, and
Africa (EMEA) marketing, explains: "We continue to execute on our
growth plans in EMEA and have centralized some functions in the U.K. The
new facility provides us with room for growth and closer access to our target
customers in the U.K. The facility provides a professional environment
for our customers, partners, and prospects and ensures easy access through
well positioned transportation links."
Equidistant between London Heathrow and London
City airports with excellent transportation links to London and the
M4 corridor, VeriSign’s new office features modern, open-space design,
as well as areas set aside for meetings, demonstrations, and training.
From the 11th December, the new address will
be:
2nd Floor, Water Front
Chancellor's Road
Hammersmith Embankment
London
W6 9XR
Sales : +44 (0)800-032-2101
Fax: +44 (0)800-032-2087
Back
to Top
Ask a VeriSign Consultant
This column is on holiday, and we take the
opportunity to invite Ken Dunham, director of malcode intelligence,
to give us an outlook of the 2006 threat landscape. We will continue
answering your questions sent to askverisignsecurity@verisign.com
in the New Year.
2006 Threat Landscape
From January to October 2005, VeriSign® iDefense
reported on 2,461 new vulnerabilities, 525 exploit codes, and over 3,000
malicious codes. Over 13,000 unique malcode reports were identified
during this time period, of which 97 percent were considered low level
malicious code threats. Only one extreme malcode threat incident occurred,
for the bot Plug-and-Play exploitation in the summer via ZoTob and other
bots. This data leads to a few significant interpretations:
The sheer volume of reported vulnerability
and malcode threats continues to be very high. Hackers literally have
thousands of new opportunities for attack every year.
High-profile large-scale malicious code attacks
are fading into the sunset. Current trends indicate that multi-variant,
under-the-radar attacks are quickly becoming the attack technique of
choice.
Rapid exploitation has proven to be the highest
risk situation to date, where attacks may occur before it is physically
possible to fully patch a large network.
Other notable trends in 2005 include:
Criminalization and commoditization have matured.
Criminals are making money wherever they can and have developed well
funded and organized underground channels to move money and stolen commodities.
Targeted attacks upon select individuals and
organizations are on the rise, with lower level hackers getting into
the game.
Industrial espionage is big business. (In Operation
Horse Race, for example, a programmer created customized Trojans for
several thousand dollars per variant.)
Adware and spyware have become a household
name. It will continue to be widely distributed in 2006, both legally
and illegally through hackers seeking affiliate cash.
Threats are becoming more sophisticated and
are moving up the networking chain to DNS servers and hosts.
Automated opportunistic and multi-variant attacks
are becoming the norm for attacks.
Financial gain will continue to be the dominant
motive of cyber crimes, and 2006 will see criminal gain on the Internet
more fully exposed. Continued success by law enforcement, investigations
into sophisticated global fraud operations, and research into computer
security incidents will help to uncover the truth about such criminal
operations.
Back
to Top
Security Events
December 12-16, 2005
Interop
Security Conference
New York, NY
December 14-15, 2005
SecureWorld
Expo
Washington, D.C.
January 12, 2006
NTCA
Broadband Summit
Las Vegas, NV
Back
to Top
|
Worldwide Sites
