Ah, the week between Christmas and New Year’s Day: lots of folks out enjoying “use or lose” vacation time, the pace of work a bit slower than normal, significantly fewer emails and other distractions demanding attention. A great time to reflect on the old, anticipate the new, and cross off some long-standing items from the to-do list.

Given the nature of the season, it’s also appropriate to ponder the topic of sharing. Sure, there’s the sharing of time, fellowship, gifts, and food with which we’ve all been involved recently, but as the year draws to a close, many of us on the RISK Team are also thinking about sharing of a different nature – incident sharing.

It’s doubtful that security incidents made the top of anyone’s wish list this year (or any other), but the knowledge gained through studying them and sharing lessons learned is often considered to be a gift worth keeping. Many of you will remember that our effort to study and share incident information with the world is done through the annual Data Breach Investigations Reports (DBIR). Though the publication is still a few months away, we’re very glad to give a foretaste of what our readers can expect early next year.

We’ve continued our efforts to expand the scope and perspective of the DBIR, and the 2012 version should be the biggest ever in many respects. One of the things we’re particularly excited about is that we will have participants representing the Americas, EMEA, and APAC regions. Submitting data and analysis for the 2012 DBIR are:

Adobe released updates for Adobe Acrobat and Reader version 9 for a vulnerability reported last week which was being used for targeted attacks. Enterprises that have not migrated to Adobe Reader X should test and deploy this patch within 30 days.  More reports of exploits for a Java vulnerability patched by Oracle in October are showing up in crimeware.  Video game company Square Enix (Final Fantasy, Kingdom Hearts) was the victim of another data breach and as many as 1.8 million accounts were compromised.  Compromised account data included personal registration information but the site didn’t accept credit cards. They reported an earlier compromise in May. Symantec reported the Nitro attackers were still active and were spoofing Symantec to try to trick users to install Trojans.  Microsoft released a lucky thirteen security bulletins, but also called our attention to general improvement across their products.

Adobe announced a previously unreported vulnerability in Adobe Reader and Acrobat, and acknowledged Lockheed Martin and the Defense Security Information Exchange for reporting it. Mila Parkour and Symantec have additional details on targeted attacks exploiting the vulnerability. Defensive systems from AV to IDS have been updated this week to improve detection of related attacks. Your attention is invited to a post by Branden Williams on RSA’s blog and their “Security Practices Critical Checklist;” it is almost certainly the most widely useful risk intelligence collection for this week. To some it may seem like “mom and apple pie,” but if one considers the source — RSA’s experience on their own network and their perspective including their customers – it might be unwise to dismiss it.  Another example of experience and perspective contributing to the credibility of an intelligence collection, RISK Team alumnus Alex Hutton made some pointed observations on risk management on the New School security blog. Microsoft pre-announced fourteen bulletins for Tuesday and if that isn’t sobering enough, read Paul Ducklin’s report on malware on thumb drives. Picking up a lost thumb drive is the antithesis of a “lucky penny.”

From the same source that informed us that Sergey Brin and Steve Ballmer cooked up a “new and frightening Stuxnet” on Larry Ellison’s barbecue, we now hear about West Milford New Jersey’s  “water plant victim of ‘Terrorism.’”  After the “comedy of errors” at an Illinois water plant, stirred up by Joe Weiss, we had expectations that the irrational hyperbole might be tempered; apparently not. Last month, we learned of targeted attacks on energy and defense companies as well as SCADA systems in Norway. This week, we learned of attacks on Canadian companies related to chemicals and mining.  Kaspersky continues to analyze and share details on Duqu. A year ago we were led to believe Zeus was on the way out but new reports from Brian Krebs and Symantec make it clear it’s a continuing threat.  The most interesting InfoSec intel collection this week was Edward Jay Epstein’s unconfirmed account of Dominique Strauss-Kahn’s day on 2011-05-14. Think InfoSec by Ian Fleming.  It remains to be seen if it will be in the library’s non-fiction section or in fiction next to Brin, Balmer and Ellison’s virus and Weiss’ water pump, but it initially appears to be more interesting to follow.