The InfoSec vocabulary word for the week: “saibā kōgeki.” Mitsubishi Heavy Industries (MHI), Kawasaki Heavy Industries and Ishikawajima Heavy Industries, all Japanese Defense manufacturers, reported attacks to the National Police Agency. Targeted e-mail attacks with stealthy Trojans were used in the attacks on MHI. Government web sites in Japan were the target of denial of service attacks last weekend that were almost certainly unrelated to the attacks on the defense companies. In the US, the Financial Times reported attacks on CACI, ManTech and Thomson Reuters. The web site of one of Venezuela’s largest newspapers, Últimas Noticias, was compromised and had a redirect to a malware download. And systems at the Intelligence and National Security Alliance were compromised and their membership rolls released to Cryptome.

Anonymous is scheduled to release a new DoS tool, Refref, on Saturday 2011-09-17. They will also attempt a protest in the real world,Occupy Wall Street, and will stage similar protests in a handful of other cities on the same day. The Anonymous collective can be a significant threat. The Risk Team will be collecting info about these activities, but we assess they will probably not have an immediate impact to Verizon Cybertrust Security customers. Microsoft and Adobe released scheduled security updates. We recommend routine priorities for patch deployment. In hindsight, this was one of the very few weeks this year where we wish we’d burned some vacation days. InfoSec risk intelligence was both sparse and boring.

It’s no longer uncommon for forensic investigators to come across remnant evidence of anti-forensic measures taken by criminals during the course of a forensic engagement. The purpose of such measures, obviously, is to keep both the crime and the criminal hidden from detection. This may take the form of attempts to remove traces of malware or crimeware used to perpetrate an intrusion, or securely deleting sensitive information after pilfering it (to prevent investigators from accurately determining the scope of a compromise).

In our own experience, we see anti-forensic techniques involved in approximately 30% percent of cases. This percentage has remained relatively constant for the last several years (as shown in DBIR statistics). For obvious reasons, anti-forensic measures can frustrate, and often largely inhibit the progress of investigative casework. (more…)

The RISK Team sees no imminent threats this weekend that would give rise to increased vigilance or anxiety. Trojans and criminals weren’t the biggest headaches for many InfoSec professionals in the States this week. In the US, Tropical Storm Lee and Hurricane Irene have brought the worst flooding in 40 years to the Northeast. In the Southwest, millions were in the dark Thursday and Friday after human error and heavy demand due to a heat wave cascaded through the electric grid. In Oz, criminals have threatened an IT executive in Melbourne because he’s been too vocal in calling attention to a surging fraud scheme. Several high-profile companies were the victim of a DNS hijacking Sunday night. Brian Krebs continues to shine a spotlight on criminals behind notorious malware operations; this week’s target was a Russian who may control the TDSS botnet/rootkit/Trojan. From Spain, VirusTotal reported additional details on the targeted Trojan attack that breached RSA and included two US defense organizations.

Odd title, I know, but there’s an element of truth there. Allow me to explain.

If you’ve read our Data Breach Investigations Report, you’ll probably remember that we’re not overly encouraging about the ability of organizations to detect and respond to security incidents. It’s been our very consistent finding over the years that breach discovery takes far too long and when it finally happens, it’s usually because a 3rd party notified the victim of their predicament.

What makes all this worse is that both the timeframe and method of discovery are almost always dictated by the criminal.

Read that again; I’ll wait.

As Bryan Sartin discussed some time ago over on Verizon’s ThinkForward blog, fraud committed using stolen data often triggers the discovery process. So, criminal actions enable us to catch criminal actions. Which leaves us security professionals with a burning question – where would we be without the help of fraud?

I’ll tell you the burning answer: 44 (I was so hoping it would be 42).

Recently, we’ve given several DBIR presentations to government agencies and other organizations that work in space. Such organizations are (understandably) more interested in the theft of IP and classified data than, for instance, payment cards. Thus, we’ve isolated such cases from the larger DBIR dataset and include stats around IP and classified data theft in these presentations (don’t get too upset – we’re sharing some of this with you too). The differences between these datasets are often substantial and provide plenty of food for thought…which brings us back to breach discovery, fraud, and the number 44.

Of all breaches involving IP or classified data, 44% take years or longer to discover.

Read that again; I’ll wait.

Why? It is almost certainly because such data is not used for post-breach fraud like payment card and personally identifiable information. Instead, you look up a couple years later and wonder at the surprising similarity between your gizmo and the enhanced version your competitor just launched. The ironic truth is that without the help of the credit card companies and their comparatively mature and effective fraud detection mechanisms, we’re left to our own devices. And that, my friends, spells trouble.

So, thank goodness for fraud; what would we do without it? What ARE we doing?

Morto who? On Sunday the InfoSec world was all atwitter (I just couldn’t help myself) over the Morto RDP worm. Andrew Brandt at Webroot wins the award for August’s Best “Bottom line, the worm was written to spread to (and infect) the computers run by people who don’t take security seriously.” Then along came DigiNotar. It drew comparisons to the RSA breach, not because of phishing or APT, but for unanswered questions when their parent company, Vasco, tried to manage how smart people think. The Certificate Authority/TLS security model is not perfect, but the risk of compromises is dwarfed by the costs radical changes could cause. Kernel.org reported a breach, and Jonathan Corbet’s candid and detailed summary should be required reading for anyone with interests or concerns about the risks to the Linux kernel’s source code.