Reports surfaced this week of a previously unknown vulnerability in Adobe Acrobat and Reader in targeted attacks and one report of a “drive-by-download” from a “normal” web site. Once again, Acrobat and Reader and their interaction with JavaScript have resulted in compromises. However, the number of attacks is tiny, IDS and anti-virus products are being updated to further reduce a very low risk until patches become available on 2010-01-12. Twitter suffered a DNS hijacking attack on Friday, but the root cause is unclear. The Australian government is moving ahead with plans for nationwide network filtering, primarily of obscene content, but implementation is more than a year off. A new version of Ruby on Rails addresses vulnerabilities. Research in Motion suffered through a BlackBerry e-mail outage on Thursday. All in all, it was a relatively unremarkable week in Information Security Risk.

A “flash mob” effort threatens to attack AT&T’s wireless network later today. This is simply wrong. Nice people do not do this.

Professionals do not engage in this sort of behavior. The purported motivation or provocation is irrelevant. Deliberately trying to degrade the service one pays a provider for is contradictory, rude and possibly illegal. The Verizon Business Risk Team condemns this attack and any similar activities.

Microsoft and Adobe security bulletins and a surge in malicious PDF files lead the InfoSec issues relevant to risk in enterprises this week.  Two of this month’s Microsoft patches are in critical security infrastructure and so have received our 30-day recommendation, as has the Internet Explorer cumulative update.  The IE vulnerability disclosed via Bugtraq on 2009-11-20 was among those closed by the cumulative update to IE.  Adobe fixed seven vulnerabilities in Flash and AIR.  Rootkit-enabled Trojan horse code in PDF files are the flavor of the week from the Zeus gang.  Three developments in Governance risk may result in greater compliance costs for many businesses.

In the last day or so, we’ve seen several articles and web chatter on RAM scraping malware as described in our 2009 Data Breach Investigations Supplemental Report. Some of this discussion seems to be heading in a bit of a sensationalist direction. Others suggest that some of the information we present is inaccurate. We’d like to head this off with some quick Q&A for clarification.

Q: Why do we say RAM scrapers are “a fairly new form of malware”?
A: Because their occurrence is fairly new among breach investigations in our caseload. We aren’t suggesting the concept itself is new.

Q: Is this the end of the Internet or data security as we know it?
A: No, of course not.

(more…)

Verizon Business released the 2009 Data Breach Investigations Supplemental Report today. As you may know, the supplemental report addresses requests, issues, and questions that arise from our readers regarding the annual Data Breach Investigations Report (April, 2009). This year’s model is a catalogue of attacks that occurred most frequently in the data set used for the 2009 DBIR.

It is, in large part, a divergence from previous reports in that it provides a more in-depth and wider view of a data breach, and is not solely statistics driven. The aim of the report is to provide both technical personnel and managers with a one-stop compendium of pertinent details on the widespread threats within our caseload. It is our hope that readers can directly utilize the information provided to prepare for, detect and, ideally, prevent these types of attacks.

(more…)

The Advance Notification Services (ANS) from Microsoft for December’s security bulletins had the greatest impact on risk for Verizon Business customers. Adobe also made a pre-release notification for an update to Flash that took place on 2009-12-08. Time wasted worrying about newly announced vulnerabilities is a greater risk than the risk of attack on those bugs. Vulnerabilities in SSL VPN’s, Novell eDirectory and BlackBerry PDF service are all unlikely to become attack targets. Their contributions to infrastructure are the only reasons to include them in even routine systems maintenance programs. A handful of isolated events in the governance risk space may become significant if they set new standards for customer companies.