In the Republic of Korea, Nexon reported a massive data breach affecting as many as 13 million users in the MMORPG MapleStory. The Department of Homeland Security sent a go-team to Springfield, Illinois and determined every significant piece of last week’s report of SCADA hacking was baseless. It remains to be seen if the lemmings that leaped last week to conclude TEOTWAWKI was at hand have learned anything; their leader apparently has not. And finding an objective assessment of Android security lately is simply impossible. Google, unsurprisingly, says, “no problem.”  Juniper, Websense, and Bit9, who all sell something in this space, seem to have other views. The RISK Team does observe developing for Android Market is easier than being accepted by Apple for iOS/iTunes and Apple appears to have more rigorous standards and testing for apps before they’re in iTunes thanGoogle has for Android Market apps. However, intelligence analysis is too clouded by the hype to categorically exalt or damn either.

Wednesday, technical media in the US were busy exercising their jumping to conclusions skills over a bug in Bind DNS software.  Open source intelligence collections reflect about two dozen DNS servers experienced outages due to the bug; no one has reported any malicious traffic. The first lemming stampede was on when every hiccup on the Internet was blamed on: “someone DoSed my Bind server!”  Action: don’t panic. As infrastructure, DNS servers should already be part of patch management systems. Patching Bind servers with “routine” priority is appropriate in the complete absence of threat reports. Thursday, unconfirmed reports of a hacking attack on a water plant in Springfield, Illinois became a media storm. DHS declared, “there is no credible corroborated data,” but the second lemming stampede is on.  Action: do nothing until credible corroborated intel arrives.  The reports might be true, but so far they certainly fail to meet any reasonable criterion for actionable. If only a portion of the lemmings’ energy reported more details on broad attacks on companies in Norway. Or reported on what happened at Valve to Steam users PII?

Over on the New School Security blog, Adam Shostack recently wrote an interesting piece on APTs but not the kind you’re thinking of. He was referring to “Authorization Preservation Threats,” and his subject matter was the 2011 DBIR. The post centered on the plethora of incidents stemming from exploits/failures related to authentication and authorization we observed in among the 761 incidents we analyzed this past year.

In the post, he mentions that he’d like to know the overlap between brute force attacks and default credentials. Happy to oblige, Adam.

• Brute force only: 40 incidents
• Default creds only: 97 incidents
• Both: 160 incidents

Obviously, there are a lot of incidents that involve one or both types of attacks. As Adam writes in his blog “I don’t want to attack anyone¹s business here, but if you’re looking at any super-fancy technology before you’ve rolled out AD password policies and also mastered changing your passwords on the non-AD stuff, you’re ignoring the Authorization Preservation Threat.”

That’s pretty good advice if you ask me.

More than a dozen organizations collaborated to bring about Operation Ghost Click: six arrests and four million bots no longer under criminal control.  Gary Warner at the University of Alabama Birmingham’s posted a very good one-stop summary and he links to other reliable and detailed reports. Cynics may label it Whack-a-mole, but every arrest cements society’s mores and our refusal to accept cyber crime and dispossession of systems by sociopaths.   There’s a full moon and another Adobe Flash and Google Chrome update. Coincidence? We might know in 28 days.  Did Mitsubishi Heavy Industries take data breach management lessons from Sony? Their story get’s worse at every turn; this week’s revelation was nuke plant designs leaked.  And November’s Microsoft Tuesday was this week; Verizon Cybertrust Security customers have the RISK Team’s unflustered recommendations to avoid upsetting plans for the holidays.

We may be entering another bi-polar phase in InfoSec intelligence.  We’ve cycled from last week’s abundance of lame collections to this week’s abundance of useful, but generally not actionable, risk intelligence reports.  Symantec released a report on “Nitro” targeted attacks from China on at least 48 chemical and defense companies in the US, Bangladesh and the UK. Symantec also revised their Duqu report after the Laboratory of Cryptography and System Security in Hungary reported a surprise attack vulnerability via a MS Word file dropped Duqu in a targeted attack. Microsoft issued a related Security Advisory and a “Fix-it” tool. The RISK Team recommends only the most risk-adverse organizations act on it because the threat rate is so low.  Microsoft pre-announced four security bulletins for next week and the Duqu-related vulnerability will probably not be among them. The US government’s National Counterintelligence Executive issued a report that removes doubt as to the countries conducting cyber-espionage against Google and companies in the US energy sector. The US Intelligence Community reported the People’s Republic of China was responsible—31 pages and none of it actionable. Finally, some actionable intel: Qualys provided concise risk mitigation tips to reduce the effectiveness of slow HTTP DoS attacks.  Cheers to them!