Targeted and insider attacks lead this week’s risk intelligence. Neil Schwartzman reported targeted attacks on e-mail service providers, direct mailers and gambling sites. FireEye reported on a cunning new backdoor that exploits CVE-2010-3962, the unpatched vulnerability in Internet Explorer. The Register has a very thin on substance report of a targeted e-mail attack on a UK Ministry of Defense department head. Microsoft Taiwan has a task force to respond to attacks targeting MSN Messenger users in that country. Insiders struck Monroe Community College, Ford Motor Company, the Ministry of Home Affairs (India) and the University of London. There’s a new Windows kernel escalation of privilege, probably. Dave Harley and Roger Thompson are trying to throttle down this week’s edition of supercharged Stuxnet stupidity. Good luck with that.

As you may know from reading our annual Data Breach Investigations Report (DBIR), authentication issues often play a role in security incidents. Verizon Business has been working on this issue within the medical community and recently created the Healthcare Provider Portal. The portal will provide U.S. physicians, physician assistants, nurse practitioners and other health practitioners the ability to send and receive information in e-delivery format, and offers credentialing to health care end users at no cost.

In January of 2011, Verizon Business plans to issue National Institute of Standards and Technology (NIST) Level 3 authentication credentials to an initial 2.3 million U.S. health care professionals free of charge. Using these identity credentials, health care professionals will be able to receive digital health information via the Verizon Medical Data Exchange using a secure, private inbox accessed from a new Web-based physician portal, the Healthcare Provider Portal.

You may remember that  the Verizon Medical Data Exchange (MDE) was announced earlier this year. MDE is a fully interoperable and open standards-based platform – enables physicians to overcome traditional barriers to e-health adoption, including compliance, changing existing IT systems or investing in additional equipment or software.  As a result, Verizon projects that an increasing number of medical professionals will use the exchange as a way to share patient health data electronically. Giving healthcare practitioners an end point to send and receive information removes the barrier to entry for usage; thereby, making the exchange universal in nature

The Medical Data Exchange will promote and support technology interoperability initiatives like Nationwide Health Information Network (NHIN), Integrating the Healthcare Enterprise (IHE), and the Direct Project. The Verizon Medical Data Exchange is designed to facilitate several “meaningful-use” requirements by enabling compliant data sharing that was established under the HITECH Act.

If you want more information on the Medical Data Exchange and how to participate- go to www.verizon.com/mde or email   mdex@icsalabs.com.

One of the alarms I have set on my computer went off yesterday and I couldn’t remember why I had set it.  Today I realized it was my “cyclic hyperbole over cryptography research” alarm. If you read “SHA-1 broken” give it a Bronx cheer and move on, or recall the same headline from 2005 or better yet, read the researcher’s own report.  Last week we were seeking information on 1 million smartphone infections in China.  Turns out it’s 40 million infections of Symbiansmartphones. Russia is investigating some of their banks for supporting hacker attacks.  And VISA issued a data security alert on criminals who submit false credits to debit cards by usurping a legitimate merchant’s acquirer or processor account.

A *lot* of people have asked us how the Verizon Enterprise Risk and Incident Sharing (VERIS) community project is going one week later, and so we thought a small update was in order.

In order for this to really work, we need as much of your participation, enthusiasm and encouragement as possible.  And so far, we’re overwhelmed with support.  All your mentions on twitter, invitations to speak and do podcasts and so forth, it’s just been more than we could ask for.  So we earnestly thank you.

Similarly, we’re extremely pleased with the amount of traffic we see on the site.  The number of submissions and the sheer number of people inputting demos are very encouraging.

There are a number of questions surrounding the project that folks are asking, and both Martin McKeay and Dennis Fisher cover this in their respective podcasts

• Network Security Podcast on VERIS
• ThreatPost Podcast on VERIS

If you have questions or thoughts that aren’t covered there or there are things regarding VERIS and the project that you’d like our thoughts on, please feel free to email the RISK team at veris@verizonbusiness.com.

Finally, I thought I’d share some pure awesomeness with you.  Some of you may have seen me tweet out that I did some “creative” submissions to the VERIS application when I was beta-testing.  Some of your submissions marked as “using the application for demonstration purposes only” are just as cool.   For example, one person wrote in:

“Skies rained fire, servers rebooted, ninjas made off with the espresso machine and the interns”

While an excellent incident, the RISK Team would like to take the opportunity to point out that you would actually need to check “environmental (other)” “availability (servers)” and then Physical (Other – essential stimulants and helpful assistants). Just typing in “environmental (other – world ending)” isn’t specific enough.

(more…)

The most-recent, and unpatched, Internet Explorer vulnerability showed up in the Eleonore exploit kit and on Amnesty International’s Hong Kong website. To be sure, this risk is very low now, but this issue leads the Risk Team’s “on watch” list for issues we watch closely.  The potential for a massive exploitation and the holiday shopping surge causes us to be especially on-watch for an out-of-cycle patch announcement from Microsoft.  December’s “patch Tuesday” is more than four weeks off with Black Friday and Cyber Monday falling first. We’re also focusing collection for availability risk in the US financial services sector after a weekend “glitch” affected online or ATM access to about a dozen institutions. And Intuit reported a DoS attack last week.  John DeMilo, general manager of an ATM network company proved Bill Murray’s aphorism: “insiders can bring down the business,” after defrauding Connecticut’s Domestic Bank of US$4.8million. We’re also keen to learn what mobile phone platform in China is experiencing one million+ infections of a premium SMS Trojan.

Today marks another milestone in our long-term VERIS project to collect incident data and make it more available to the security community. For the past few years, we’ve published the Data Breach Investigations Reports, which present statistics based on forensic investigations conducted by our IR services. Last March, we publicly released the Verizon Enterprise Risk and Incident Sharing (VERIS) framework used to collect data for the DBIR series. VERIS provides a common language for classifying incidents and removes a long-term roadblock to the goal of more widely available information on security incidents.

Today we introduce the VERIS Community application, designed to make sharing such information possible and practical.

(more…)

Ohmygosh! Another week, another surprise attack. Last week, the civilized world was stunned to learn of a new Adobe Flash vulnerability under attack (which Adobe fixed), and this week we were floored upon learning Internet Explorer has another drive-by-download vulnerability. NVP’s released surprise attacks on Android 2.1 and Adobe Reader.  Our colleagues in Japan have new Java and Ichitaro attacks to face as well. Coverity found 88 serious flaws in Android, but in 2004, they found 985 in Linux and in the following six years have been credited in two Red Hat Security Advisories. Microsoft pre-announced three security bulletins for November (Yea!). Pass the paper bag we’re hyperventilating from all this excitement. If perchance the tongue-in-cheek tone didn’t come through: InfoSec risk this week was not significantly different from previous weeks.