Old news tried to dominate the InfoSec risk environment this week: “DLL planting” vulnerabilities in Windows go back to 2000. Zurich Insurance was fined £2.28 million for a data breach in 2008. Also in 2008, Spanair Flight 5022 crashed because the pilots failed to use their checklists and flaps, but wait! Now a virus is being blamed, far beyond reason into hyperbole without objectivity. A Deputy Secretary of Defense confirmed a widespread outbreak of thumb-drive malware in 2008. This revelation was done to “highlight policy responses” by the Pentagon, but ,purely coincidentally, their budget is up for review. Current risks include massive frauds victimizing iTunes users via their PayPal accounts. And a 64-bit variant of an advanced rootkit, TLD3 has been observed by Symantec and Prevx. Microsoft and Symantec can’t agree on which botnet sends the most spam, as if it matters. Maybe it will two years from now.

Congratulations to our DBIR cover challenge winners! We once again offered cash prizes for the first three individuals to solve our puzzle. We received the second and third place solutions early today. The winners are:

First place: Michael Oglesby of Oklahoma (see his write-up)

Second place: Jan Wiebelitz of Germany (see his write-up)

Third place: Christopher Kunz of Germany (see his write-up)

The RISK team would like to extend a warm thank you to you gentlemen, and to everyone else who participated in the contest for their hard work and their interest in our report. It took just shy of one month for all three winner slots to be filled. We will be releasing the details of the cover challenge over the next few days. If you would like to monitor the most recent twitter chatter, check out #DBIR. Nice job, guys.

Whoopee! We are so lucky this week! We all get to patch our Adobe Acrobat and Adobe Reader instances and race the criminals to see if we can patch faster than they can add it to their other Adobe sploits. Network Solutions took over first place from RIM in the biggest InfoSec headache category when lots of parked domains turned out to be offering up drive-by downloads.  ”Lots” because numbers are running from “millions ” to 120K, and rather than try to track that anatomy metrics contest, we’ll just go with “lots” since it gets the point across.  Returning to the InfoSec headache top ten is Heartland Payments who, best case, suffered a reputation attack when reports circulated they are at the bottom of Austin, TX area credit card frauds.  If you’re responsible for Internet-facing Cold Fusion deployments you should read this blog post from HP’s security evangelist; the Risk Team is unconvinced this will be used for attacks, but we want you to do your own assessment.  When you’re taking a break from pushing out 15 Microsoft and a handful of Adobe patches, please head over to Professor Steve Bellovin’s page at Columbia University and contribute to their Facebook privacy study.

Recently, I’ve seen two cloud computing advocates significantly dismiss the notion of a private cloud.  Basically, the complaint the cloudies offered was this:

“I’m a fan of private clouds, I just think that 90% of the corporate rationale for thinking private cloud is (bull).  If your rationale for building out a private cloud is just “general security”, you’re delusional or you’re the NSA.”

Similarly, I saw the statement:

“Security in cloud services can be constructed, maintained and operated at levels that are far beyond what’s cost-effective for almost any individual company or organization.”

With proof of this being a reference to a SaaS provider’s statement of ISO 27001 certification.

THE COST OF CLOUD COMPUTING

You never get something for nothing, right?

(more…)

If you like podcasts and you like our 2010 Data Breach Investigations Report, then this is your lucky day. Below you’ll find links to some podcasts we’ve done following the publication of the report in late July. We’re probably missing a few but this should get you started and we’ll add others as we find them or do them. Enjoy!

VZB Audio: http://www.verizonbusiness.com/resources/media/index-131070-dbir.xml

VZB Video: http://www.youtube.com/verizonbusiness

Threatpost: http://threatpost.com/en_us/blogs/alex-hutton-verizon-data-breach-investigations-report-081610

BankInfoSecurity: http://www.bankinfosecurity.com/podcasts.php?podcastID=644

FedNewsRadio: http://www.federalnewsradio.com/?nid=150&sid=2015737

ITAC: http://itacidentityblog.com/podcast-wade-baker-director-of-intelligence-risk-verizon-discusses-2010-verizon-data-breach-report

ZDNet AU: http://www.zdnet.com.au/data-breaches-it-s-criminals-again-339304943.htm?omnRef=NULL

Risky Business Australia: http://risky.biz/RB161

Secuobs France: http://www.secuobs.com/revue/news/244953.shtml

TV4 Sweden: http://www.tv4play.se/nyheter/nyhetskanalen?videoId=1.1742547

De Beveiligings update Netherlands: http://debeveiligingsupdate.nl/tag/verizon-business/

NYM-Infraguard: http://jconcannon.wordpress.com/

Patch frenzy!?! Ah,…nope. Our To-Do list got longer this week, but our concerns last week about curtailed August vacations appear to be unfounded, and I’ll cop to it. Microsoft issued 14 bulletins and Verizon Business Cybertrust Security customers have had our recommendations since Wednesday. Opera and Chrome updated for security reasons.The sun rose in the east, and Adobe patched Flash , AIR, Cold Fusion and Flash Media Server. VxWorks embedded OS has four new vulnerabilities that should be ACL’d to protect them. Apple updated for the “jailbreakme” vulnerability and an NVP publicized exploit code. Casandras have come out of the woodwork predicting doom. Systems are increasingly patching automatically-let them. For the rest, the Risk Team recommends you trust your existing patch management and enjoy the last month of Summer. Use the midnight oil on the squeaky wheels.

——————

UPDATE:

OK, seriously.  Whomever is dropping these hints off to Ryan Naraine http://www.zdnet.com/blog/security/verizon-dbir-challenge-clue-2/7148 at ZDNet:  You’re giving away too much.

——————

There’s been quite a bit of activity about the DBIR Cover Challenge on Twitter today (#DBIR).

Somehow, somebody is giving Ryan Naraine clues that he is posting over on ZDNet and Threatpost. Until we can stop these clues from leaking out, you’ll probably want to continue to monitor what Ryan is posting there and the activity and progress of DBIR cover crackers on twitter.

Some of you may remember that the 2009 Data Breach Investigations Report had an enciphered message embedded in the cover and a $500 prize for the first person to crack it. That took Grant Stavely about a day last year and the 2nd and 3rd place prizes ($100 each) were awarded a couple days later.

At least one person has asked if we did something similar in the 2010 DBIR. We’d like to go on record and announce that the 2010 DBIR Cover Challenge is officially on and that the $500 is still up for grabs (along with 2nd and 3rd place prizes). Beyond that, our lips are sealed. Happy hunting.

The risk environment improved this week with the publication of MS10-046 to patch the .LNK vulnerability first reported with the discovery of the Stuxnet Trojan. Regarding all of the fussing over governments demanding access to BlackBerry traffic, the risk environment has not seen significant changes. At worst, some BlackBerry users are going to lose access to some services, for the time being. Verizon Business customers traveling internationally on business should be aware some services may not function in some countries. More widespread impact may change over time, but it’s much too soon for hand-wringing. It’s too bad Microsoft doesn’t appreciate the proportion of the IT staff in the Northern Hemisphere who take vacations in August, because they’re pumping out a record 14 bulletins on Tuesday. Adobe will go out of cycle with an Acrobat and Adobe Reader patch the week of the 16th, and based on recent history, criminals will probably be attacking the vulnerabilility by then. Psst: Some folks, who really should know better, need to re-learn what “out-of-band” means.

We’re seeing some commentary on our 2010 DBIR that says something to the effect of “insiders are #1 threat” or “internal breaches are increasing.” Neither of these are true.

Granted, the percent of breaches that involve insiders is 22% higher in the 2010 DBIR than the 2009 version. We fully admit this is confusing and apologize if we did not clarify it enough in the report. The higher percentage of insiders is directly attributable to the Secret Service caseload which includes more internal breaches than our own. When you merge the two together, the “average” goes up. This does not mean there is an upward trend.

By examining the above chart (which is Figure 6 on page 13 of the DBIR)  you can see that neither the Verizon nor Secret Service data show a rising trendline for internal agents. The Verizon trendline is flat and the Secret Service actually shows a negative slope. In fact, of the three agent categories, outsiders are the only ones increasing in both datasets.

Bottom line: the increased percentage is not due to an increasing trend. It is purely the result of combining datasets.

Since the release of the 2010 DBIR last week, I’ve been doing some interviews and reading over public feedback. Quite a few times I’ve either been asked directly or read comments regarding our findings on Advanced Persistent Threats (APTs). Some simply wonder what our findings have to say about APTs, some say we’re “anti-APT”, and others claim we don’t give APT-related stats because we don’t investigate APT-related cases. There’s enough interest and speculation that I’d like to set the record straight.

In the report, we use the label of “hype” in reference to APT. This seems to have raised some hackles. I’m not sure why. One definition of hype is “excessive publicity and the ensuing commotion” and I’m at a loss for a more appropriate word to describe what I’ve witnessed of late. Do you really think the actual frequency of APT-related attacks/incidents this year has risen at an equal rate to the surrounding publicity and usage of the term APT? As stated in the DBIR, we are not denying that APTs are real. “Hype” is not the same as a “hoax.” Every definition I’ve seen for APT (there are quite a few) has a basis in reality. Your organization should evaluate and (if appropriate) plan/protect against attacks from nation-states and other highly skilled, aggressive, equipped, and persistent threats. It’s the “excessive publicity and ensuing commotion” rather than the concept itself that we tried to call out in the DBIR.

(more…)