Microsoft, using lawyers and a team of researchers from universities and Symantec, took out the command and control nodes for the Waledac botnet. Waledac almost certainly has an affinity to Conficker, if it is not controlled by the same criminals.  This was the week’s good news.  Bad news dominated risk intelligence as Verizon Business customers have yet another Adobe product to include in routine patch programs; we posted our observations on Adobe security this week. Three Google executives were convicted in a criminal trial for violating Italy’s privacy laws after a bullying video was posted to the Google Video site in 2006.  Intel Corp filed an SEC form 10-K revealing it had a “sophisticated incident” around the same time as Google’s “Aurora” attack, but they are not aware of any connection between the two.  Zeus persists as the most risky malicious code threat; there were multiple reports of Zeus compromises and Rafal Los posted a superb description of a demonstration of a Zeus-related web application SQL injection problem on a corporate web site. There will undoubtedly be useful intelligence collected next week in conjunction with the RSA Conference.  However, as the Northeast digs out from hip-deep snow, everyone should keep their stilts and hip waders at hand as undoubtedly hype and FUD will also flow from the Moscone Center. Hopefully, this will be the extent of next week’s bad news.

Security professionals from Verizon will be presenting or participating in panel discussions at RSA USA 2010 and at Mini-Metricon 4.5 in San Francisco, CA next week.  The presentations are as follows:

Wade Baker, Alex Hutton and Chris Porter will present at Mini-Metricon 4.5  on 2010-03-01.

At the RSA Conference, in chronological order:

On Tuesday 2010-03-02:

Alex Hutton will be on a panel: Meet the Wizards: Behind the Industry Threat Reports, Session SIP-106  (Orange 307 @ 1:00 PM)

Wade Baker will present Evidence-Based Security: An Alternative To Hunches And Hype, Session GRC-108 (Green 133 @ 3:40 PM)

On Wednesday 2010-03-03:

Charles Spallitta will be on a panel: SaaS-Based Security Solutions, Session BUS-202 (Orange 302 @ 9:10 AM)

Marcus Sachs will be on the next panel: Proving the Worth of Security Metrics with Real-World Data Session BUS-203 (also in Orange 302 @ 10:40 AM)

On Thursday 2010-03-04:

Marcus Sachs will be on a panel: Social Networking — Your Personal and Business Information in the Wild Session EXP-303 (Blue 103 @ 10:40 AM)

A team of professionals from Verizon Business Security Solutions will be staffing Booth 2217 on the Expo floor. We welcome you to attend.

The following was submitted by request to the Oxford Internet Institute’s forum on Mapping and Measuring Cybercrime held in January 2010. It is posted here with their permission.

Benefits of Mapping and Measuring Cybercrime

There are numerous personal, organizational, national, and societal benefits to be gained from mapping and measuring cybercrime. In the broadest sense, these benefits can be summed up through the simple axiom “measurement enables management.” However, the last few decades suggest that the security community is prone to jump to management while bypassing measurement. Many checklists, standards, policies, and regulations have been created to manage cybercrime while there have been relatively few attempts to justify or validate their effectiveness. In fact, many do not even reference the need or means to do so. If we cannot reliably measure cybercrime, our efforts to manage it will be inefficient at best and ineffective (or perhaps even counterproductive) at worst.

(more…)

Lions, and tigers, and bears! Oh my! APT, and Kneber and Zeus! Oh my! Malicious code, crimeware, is among the greatest challenges InfoSec professionals face daily. Headlines and press releases not withstanding, malcode risk hasn’t changed very much this year so far. Malcode risk is greater than it was a year ago, but a year ago was greater than two years ago too. The greatest risk InfoSec professionals faced this week was wasted time reacting to (expletive deleted). Our colleague, William H. Murray remarked this week, “one must not only be able to resist an attack, one must be able to resist a siege.” This week’s minutia include the Adobe Acrobat and Reader patch pre-announced last week. Firefox has a new version with security fixes. Cisco released three security advisories and Juniper one, all affecting security infrastructure components. The Risk Team’s recommendations for all of these updates is to include them in your routine maintenance program, they need not cause disruption with accelerated, “urgent” deployments. Use the yellow bricks to reinforce the castle’s walls.

Many of you who read our blog regularly are familiar with our ‘Data Breach Investigations Report’.  We hope that you’ve found past reports informative, useful, and above all, actionable.

The production of the DBIR has been driven by our desire to help solve what we see as two of the most significant problems facing our industry:

1. Uncertainty due to the lack of data
2. Equivocality due to the lack of a common framework

Basically, we believe that until we can all be on the same page regarding what terms mean and why those terms are useful, we’re going to have a problem creating meaning from any data we *do* get.

One of the reasons we feel that the DBIR is so useful is because it translates the incident narrative (the attacker did this, then that, then the other thing) into a data set.  To accomplish this translation, we used a set of metrics developed internally. Think of it as a framework of incident elements we believe will, when gathered consistently, help people better interpret data and manage risk.

Today we’re making a version of that framework, the Verizon Incident Sharing Framework (VERIS), available for you to use.

(more…)

by Dave Hylender and Christopher Porter

A week or so ago, we posted a quick heads up about the UK Security Breach Investigations Report. Although several others have been released since then (Mandiant and Trustwave), this one is particularly interesting for comparison to our DBIR because it focuses on breaches in the UK (Note – the DBIR caseload has a US-based majority but a sizeable (growing) number of European (and other global) breaches). Although we often hear comments that suggest that breaches in the US are radically different and thus not comparable to those elsewhere, this report seems to suggest otherwise. The following is a high-level comparison of DBIR findings to the 7Safe report from the UK.

As an FYI, the scope of the 7Safe report is 62 cases over a time period of the last 18 months.

(more…)

Thirteen Microsoft Security Bulletins lead risk developments this week simply because of their prevalence and mission criticality in most enterprises. The Risk Team belives that we will not experience attacks on any of those 26 vulnerabilities in less than 30 days. Adobe released updates for Flash, AIR, and BlazeDS and made a pre-release notification for more security updates to Acrobat and Reader to be issued on 2010-02-16. The Risk Team is as exasperated over the constant stream of Adobe insecurities as the rest of our profession. Adobe is making us long for the days when “chronically broken” meant Sendmail and Windows 95. While the posse mounted on APT rides that horse into the ground, losses mount from the collection of mundane, known attacks like Trojan horses, worms, SQL injection and DoS attacks. Noteworthy victims were reported on enterprises in India, Australia, the US and Cote d’Ivoire. In the first criminal trial under the US Economic Espionage Act, sentencing this week of Dongfan Chung reminds us subornation of privileged insiders is a timeless risk all enterprises face.

In a recent blog post we mentioned that 7Safe had published a security breach report in the UK. Over the last week or so there have been two more major data breach reports to be published here in the US. Thus proving the old adage that “when it rains, it pours.” I feel that there is a witticism about data leakage here somewhere but it eludes me.

These reports, which were published by Trustwave and Mandiant, both appear to be well done and are certainly worth a read. We have heard about similar reports being published in the past by Trustwave, and have actually requested copies. We are glad to finally get our hands on one. Let’s hope that this trend will lead to greater information sharing in the Security field in the future.

Criminals attacked Twitter and European carbon exchange markets using a similar modus operandi: Multiple Bit Torrent sites used a common template that has been found to include a backdoor to harvest login ID and passwords. Similarly, bogus carbon exchange registries harvested other ID/PW. Criminals exploited users’ habits to re-use ID/PW combinations. A quarter million carbon credits worth €3m, and an unknown number of Twitter accounts were stolen. Vulnerability pimps were out in force in Washington DC as evidenced by interim security advice from Microsoft and Oracle to mitigate disclosures prior to patch availability. Verizon Business Security Solutions customers received the Risk Team’s assessment of the “APT” issue with our conclusion that it is not FUD, but it has been hyped. Finally, the Pushdo trojan was blamed for spurious SSL flows to 315 sites last weekend, but Trend Micro published research on Thursday declaring the malware involved was not Pushdo.