Researchers at the University of Cambridge found design errors in 3-D Secure, the technology behind Verified by Visa and MasterCard SecureCode. The short-term risk is negligible, but the impact on trust in these systems may be the most significant InfoSec risk issue of the week. Spring (in the Northern Hemisphere) arrived early with InfoSec-related studies sprouting like dandelions, but with no discernible impact on risk. Cyberattacks on companies in the energy sector almost displaced “Aurora” after a Christian Science Monitor report, but a report in Forbes about security companies profiting from the attack reports is of equal importance. Revenue spent on unnecessary security controls acquired purely to relieve anxiety is a risk in the InfoSec space and one that also must be avoided. Criminals enjoyed an unusually successful week compromising TechCrunch twice, 30 US Congress web sites, NASA, and causing mass infections at ThePlanet webhost. There does not appear to be a common cause for these intrusions, but SQL injection leads the list of suspected vulnerabilities.

The UK Security Breach Investigations Report 2010 has been released. It is the joint work of 7Safe, the University of Bedfordshire, SOCA (Serious & Organised Crime Agency) and the Metropolitan Police Service. Quite a lineup.

In similar fashion to our DBIR, it covers 62 confirmed breaches investigated by 7Safe’s security breach investigations team. A first glance shows some very interesting statistics that are comparable to what we’ve been publishing for the last few years. We’ll publish a more detailed comparison in the next few days. For now, we just wanted to make sure folks knew it was out there.

We commend all involved for sharing this data.

Reports of targeted malicious code attacks on Google, Adobe, Dow and at least 31 others have boosted consumption of Tylenol, Tums and electricity among InfoSec professionals this week. However, the true impact on risk was simply confirmation of the evolution of malware we’ve all seen since the Storm worm three years ago. In 2005, the Haephrati’s used targeted malcode attacks while seeking proprietary information. Gonzalez and crew stole $9 million (US) from ATMs in 43 cities globally over a two day period in 2008. F-Secure reports 47% of the targeted attacks they intercepted in 2009 used PDF files. Adobe’s security bulletin is almost certainly the most significant risk development of the week. Plan, test and deploy that update. Microsoft and Oracle also released significant security bulletins that should be deployed by Verizon Business Cybertrust security enterprise customers.

A second attack in as many weeks targeted a large, well-resourced DNS array; on Wednesday, InterNexX a host for 2.9 million domains was attacked and became intermittently available.  This follows the attack on UltraDNS on 2009-12-23.  Criminal manipulation of search engine optimization resulted in office.microsoft.com’s search function yielding results that redirected users through office.microsoft.com to a site trying to seduce users to install a rogue anti-virus.  Millions of bank cards in Germany and Australia, Spam Assassin and Symantec Endpoint Protection failed after rolling from the year 2009 to 2010.  The Chairman of the FCC, the president of Iran, four government departments in the Philippines, on-line trading site collective2.com and the Pakistan National Response Center for Cybercrimes all fell victim to intrusions, mostly defacements.  These incidents notwithstanding, malicious, JavaScript-laden PDF files sent in targeted attacks remain the most significant risk for Verizon Business enterprise customers.  Fortunately, this coming Tuesday brings patches to Adobe Acrobat and Reader, Windows 2000, and “hundreds” of Oracle products.  Happy New Year!

Targeted attacks using the most-recent Adobe PDF vulnerability are the most significant issue in the risk environment this week for Verizon Business enterprise customers. The Waledac (aka Storm II) botnet went active last Wednesday evening with New Years messages leading to Trojans. On the previous Wednesday, 2009-12-23, someone attacked UltraDNS the service provider for Amazon (including their clouds) and Wal-Mart, but the attack was either short-lived or easily mitigated by the hoster. Metasploit released a new module for a configuration-induced vulnerability in Internet Information Services (IIS) but the population of vulnerable systems is probably small, and among enterprises almost certainly not a significant risk.