In terms of risk to Verizon Security customers, the most significant developments this week revolve around governance issues in Europe. Data protection, privacy and anti-piracy laws, regulations and agreements are in flux and regardless of the final outcomes, the changes themselves are costly. Predictably, Anonymous finds only fault with these developments, thus attacks and threats of attacks are among this week’s intel collections. The RISK Team had to dip into our reserves of skepticism in the face of reports of railway hacking in the the northwestern US. Early reports have an aroma similar to hacked water pumps.  Symantec pcAnywhere needs to be updated, but we assess calls to disrupt operations are hype. On the other hand, Trend Micro’s report of malware exploiting a vulnerability from a January Microsoft security bulletin reflects an in the wild risk. So far, that risk has very limited scope.

by Pete Lindstrom

Through the years, the value proposition of vulnerability  discovery and disclosure has been batted about quite a bit in the Information Security field. Every once in a while, a vulnerability disclosure incident occurs that significantly changes the game. Recently, Digital Bond released vulnerability information in conjunction with exploit code packaged in Metasploit for 6 different SCADA system devices. This time around, the stakes have been raised with much higher consequences and the profession needs to step back and evaluate whether conditions supporting discovery and disclosure in the past still exist today. It is worth re-evaluating the impact of vulnerability disclosure on risk in the IT environment.

First, a brief reminder about how risk works. Even though we cannot measure it with precision, we can do a fairly good job in understanding when it increases or decreases. We do this intuitively every day and the basic guidelines are straightforward.

Risk is a function of threats, vulnerabilities, and consequences. Threats and vulnerabilities combine to contribute to the likelihood that a breach will occur. Consequences, or impact describe the possible losses if a breach happens. We will not deal with measuring consequences since discovery/disclosure rarely impacts the level itself, so it remains constant for any scenario in this model. Read the rest of this entry »

The period of tedium in risk intelligence ended last week. An already busy week was capped when Digital Bond announced serious, but non-specific vulnerabilities in six control systems. This happened at their S4 conference under the auspices of creating a “Firesheep moment.” We could interpret that to mean some sort of wake up call to the industry, but happily (for them) it also self-serves to drive business for Digital Bond and attendance at future conferences. In conjunction with Rapid7, PLC exploit modules are being released increasing risk in the short-term for any organizations running those systems. Since these are control systems, this action impacts not just hardware, but potentially the day-to-day lives of people. Persons exhibiting a blunted affect cannot appreciate that they are affecting risk much more significantly than the incrementing vulnerability aspect of risk – unskilled and apathetic attackers will probably add these exploits to their existing attack portfolios, at much lower cost to them. Evidence of long-term benefits of actions like these is specious, given the supply of bugs seems to significantly exceed demand. Ultimately, an artificial increase in risk highlights the inherent conflicts of interest (the only clear winner here is Digital Bond). There are much better, scalable ways to get a point across – and truly reduce risk to control systems - than by jeopardizing infrastructure.

Paraphrasing Lenin: the last couple weeks nothing has happened; in all likelihood, we’ll soon pay for them with a week when decades happen. The significant InfoSec risk data point this week was Microsoft Tuesday with seven bulletins and one Adobe bulletin. In the coming week, Oracle will release a CPU with 78 fixes for vulnerabilities in Oracle, PeopleSoft and Sun Solaris product lines. Wired declared Anonymous to be the net’s immune system. But an analyst is compelled to assess if Anonymous is becoming symptomatic of an autoimmune disease. This week, an entity self-identifying as Anonymous (yes, we get the contradiction) claimed responsibility for attacking IP organizations, control systems, a steel company, a site related to an MMORPG and Sony Pictures’ Facebook page. Attackers with affinity to Anonymous have a lengthy history of collateral damage or just plain misses.

0.006 Percent. Technical media headlines exploded Thursday night after Seculert blogged that the Ramnit worm had compromised 45,000 Facebook users. But the headlines don’t read “Six one-thousandths of one percent of Facebook users infected!” One cannot make reasonable intelligence assessments while running around with one’s hair on fire upon seeing the number 45,000 in a headline. Sorry, Seculert, but our assessment is “noted.” The RISK Team regards it as a teaching opportunity. Analysts should avoid the seductive pull big numbers have. One must also assess context to arrive at risk. Readers of this blog are almost certainly (93% ±6%) using at least one risk mitigation measure that excludes them from the 45K; e.g. not being on Facebook to start with. So, in context, their risk is negligible. Noted. Move on to real risks.

Microsoft issued an out-of-cycle security bulletin for four vulnerabilities in ASP.NET. Recall that large scale ASP.NET attacks took place recently (using unrelated vulnerabilities). It’s not too great a leap to give Microsoft a “trust me” and roll the bulletin out in 30 days or less.  Stratfor was compromised and the RISK Team is more concerned about the 2.7 million e-mail messages than the 860K users, 50K e-mail addresses and 68K credit cards.  The Care2 social network was also breached to the tune of 17 million users. The RISK Team extends to our colleagues wishes for a happy and prosperous New Year and for our adversaries to mend their wicked ways in 2012.

Ah, the week between Christmas and New Year’s Day: lots of folks out enjoying “use or lose” vacation time, the pace of work a bit slower than normal, significantly fewer emails and other distractions demanding attention. A great time to reflect on the old, anticipate the new, and cross off some long-standing items from the to-do list.

Given the nature of the season, it’s also appropriate to ponder the topic of sharing. Sure, there’s the sharing of time, fellowship, gifts, and food with which we’ve all been involved recently, but as the year draws to a close, many of us on the RISK Team are also thinking about sharing of a different nature – incident sharing.

It’s doubtful that security incidents made the top of anyone’s wish list this year (or any other), but the knowledge gained through studying them and sharing lessons learned is often considered to be a gift worth keeping. Many of you will remember that our effort to study and share incident information with the world is done through the annual Data Breach Investigations Reports (DBIR). Though the publication is still a few months away, we’re very glad to give a foretaste of what our readers can expect early next year.

We’ve continued our efforts to expand the scope and perspective of the DBIR, and the 2012 version should be the biggest ever in many respects. One of the things we’re particularly excited about is that we will have participants representing the Americas, EMEA, and APAC regions. Submitting data and analysis for the 2012 DBIR are:

Adobe released updates for Adobe Acrobat and Reader version 9 for a vulnerability reported last week which was being used for targeted attacks. Enterprises that have not migrated to Adobe Reader X should test and deploy this patch within 30 days.  More reports of exploits for a Java vulnerability patched by Oracle in October are showing up in crimeware.  Video game company Square Enix (Final Fantasy, Kingdom Hearts) was the victim of another data breach and as many as 1.8 million accounts were compromised.  Compromised account data included personal registration information but the site didn’t accept credit cards. They reported an earlier compromise in May. Symantec reported the Nitro attackers were still active and were spoofing Symantec to try to trick users to install Trojans.  Microsoft released a lucky thirteen security bulletins, but also called our attention to general improvement across their products.

Adobe announced a previously unreported vulnerability in Adobe Reader and Acrobat, and acknowledged Lockheed Martin and the Defense Security Information Exchange for reporting it. Mila Parkour and Symantec have additional details on targeted attacks exploiting the vulnerability. Defensive systems from AV to IDS have been updated this week to improve detection of related attacks. Your attention is invited to a post by Branden Williams on RSA’s blog and their “Security Practices Critical Checklist;” it is almost certainly the most widely useful risk intelligence collection for this week. To some it may seem like “mom and apple pie,” but if one considers the source — RSA’s experience on their own network and their perspective including their customers – it might be unwise to dismiss it.  Another example of experience and perspective contributing to the credibility of an intelligence collection, RISK Team alumnus Alex Hutton made some pointed observations on risk management on the New School security blog. Microsoft pre-announced fourteen bulletins for Tuesday and if that isn’t sobering enough, read Paul Ducklin’s report on malware on thumb drives. Picking up a lost thumb drive is the antithesis of a “lucky penny.”

From the same source that informed us that Sergey Brin and Steve Ballmer cooked up a “new and frightening Stuxnet” on Larry Ellison’s barbecue, we now hear about West Milford New Jersey’s  “water plant victim of ‘Terrorism.’”  After the “comedy of errors” at an Illinois water plant, stirred up by Joe Weiss, we had expectations that the irrational hyperbole might be tempered; apparently not. Last month, we learned of targeted attacks on energy and defense companies as well as SCADA systems in Norway. This week, we learned of attacks on Canadian companies related to chemicals and mining.  Kaspersky continues to analyze and share details on Duqu. A year ago we were led to believe Zeus was on the way out but new reports from Brian Krebs and Symantec make it clear it’s a continuing threat.  The most interesting InfoSec intel collection this week was Edward Jay Epstein’s unconfirmed account of Dominique Strauss-Kahn’s day on 2011-05-14. Think InfoSec by Ian Fleming.  It remains to be seen if it will be in the library’s non-fiction section or in fiction next to Brin, Balmer and Ellison’s virus and Weiss’ water pump, but it initially appears to be more interesting to follow.

In the Republic of Korea, Nexon reported a massive data breach affecting as many as 13 million users in the MMORPG MapleStory. The Department of Homeland Security sent a go-team to Springfield, Illinois and determined every significant piece of last week’s report of SCADA hacking was baseless. It remains to be seen if the lemmings that leaped last week to conclude TEOTWAWKI was at hand have learned anything; their leader apparently has not. And finding an objective assessment of Android security lately is simply impossible. Google, unsurprisingly, says, “no problem.”  Juniper, Websense, and Bit9, who all sell something in this space, seem to have other views. The RISK Team does observe developing for Android Market is easier than being accepted by Apple for iOS/iTunes and Apple appears to have more rigorous standards and testing for apps before they’re in iTunes thanGoogle has for Android Market apps. However, intelligence analysis is too clouded by the hype to categorically exalt or damn either.

Wednesday, technical media in the US were busy exercising their jumping to conclusions skills over a bug in Bind DNS software.  Open source intelligence collections reflect about two dozen DNS servers experienced outages due to the bug; no one has reported any malicious traffic. The first lemming stampede was on when every hiccup on the Internet was blamed on: “someone DoSed my Bind server!”  Action: don’t panic. As infrastructure, DNS servers should already be part of patch management systems. Patching Bind servers with “routine” priority is appropriate in the complete absence of threat reports. Thursday, unconfirmed reports of a hacking attack on a water plant in Springfield, Illinois became a media storm. DHS declared, “there is no credible corroborated data,” but the second lemming stampede is on.  Action: do nothing until credible corroborated intel arrives.  The reports might be true, but so far they certainly fail to meet any reasonable criterion for actionable. If only a portion of the lemmings’ energy reported more details on broad attacks on companies in Norway. Or reported on what happened at Valve to Steam users PII?

Over on the New School Security blog, Adam Shostack recently wrote an interesting piece on APTs but not the kind you’re thinking of. He was referring to “Authorization Preservation Threats,” and his subject matter was the 2011 DBIR. The post centered on the plethora of incidents stemming from exploits/failures related to authentication and authorization we observed in among the 761 incidents we analyzed this past year.

In the post, he mentions that he’d like to know the overlap between brute force attacks and default credentials. Happy to oblige, Adam.

• Brute force only: 40 incidents
• Default creds only: 97 incidents
• Both: 160 incidents

Obviously, there are a lot of incidents that involve one or both types of attacks. As Adam writes in his blog “I don’t want to attack anyone¹s business here, but if you’re looking at any super-fancy technology before you’ve rolled out AD password policies and also mastered changing your passwords on the non-AD stuff, you’re ignoring the Authorization Preservation Threat.”

That’s pretty good advice if you ask me.

More than a dozen organizations collaborated to bring about Operation Ghost Click: six arrests and four million bots no longer under criminal control.  Gary Warner at the University of Alabama Birmingham’s posted a very good one-stop summary and he links to other reliable and detailed reports. Cynics may label it Whack-a-mole, but every arrest cements society’s mores and our refusal to accept cyber crime and dispossession of systems by sociopaths.   There’s a full moon and another Adobe Flash and Google Chrome update. Coincidence? We might know in 28 days.  Did Mitsubishi Heavy Industries take data breach management lessons from Sony? Their story get’s worse at every turn; this week’s revelation was nuke plant designs leaked.  And November’s Microsoft Tuesday was this week; Verizon Cybertrust Security customers have the RISK Team’s unflustered recommendations to avoid upsetting plans for the holidays.

We may be entering another bi-polar phase in InfoSec intelligence.  We’ve cycled from last week’s abundance of lame collections to this week’s abundance of useful, but generally not actionable, risk intelligence reports.  Symantec released a report on “Nitro” targeted attacks from China on at least 48 chemical and defense companies in the US, Bangladesh and the UK. Symantec also revised their Duqu report after the Laboratory of Cryptography and System Security in Hungary reported a surprise attack vulnerability via a MS Word file dropped Duqu in a targeted attack. Microsoft issued a related Security Advisory and a “Fix-it” tool. The RISK Team recommends only the most risk-adverse organizations act on it because the threat rate is so low.  Microsoft pre-announced four security bulletins for next week and the Duqu-related vulnerability will probably not be among them. The US government’s National Counterintelligence Executive issued a report that removes doubt as to the countries conducting cyber-espionage against Google and companies in the US energy sector. The US Intelligence Community reported the People’s Republic of China was responsible—31 pages and none of it actionable. Finally, some actionable intel: Qualys provided concise risk mitigation tips to reduce the effectiveness of slow HTTP DoS attacks.  Cheers to them!