Your iron(y) for the week:  Anonymous, without hacking or DoSing, hijacked the Wall Street Journal’s Facebook page Tuesday to express their criticism of a WSJ article on the power of Anonymous.  No data breach or network outage, but it demonstrates a general risk in social media for a business’ message to be hijacked. What was a tool yesterday was used as a weapon against the business today.  Intellectual attacks on the premise of whether Anonymous could pose a risk to the electrical grid in coming years lack an appreciation of the need to “what if” intellectually, so as to avoid “why weren’t we warned/prepared?” later.  More practical and tactical intelligence this week includes AlienVault’s Open Threat Exchange and Metasploit 4.2 with 54 new exploits and IPv6 functionality. Bank Hapoalim, Israel’s largest bank was targeted by criminals appearing to come from, not China, but Iran. However, bank officials stated the attack was thwarted. The “attack targeted personal computers used for browsing and email,” implying an email-borne attack.

Updates, attack reports and superb intel reports galore this week: Microsoft, Adobe, Adobe again, Mozilla, Chrome, Java and Real Player. DoS attacks caused intermittent connectivity on at least five stock exchange web sites without interrupting trading.  It would be surprising if there were no DoS attacks leading up to Russian elections. The reader’s attention is invited to useful intelligence reports released this week on electronic health care records by Megapath, threats to industrial control systems from ICS-CERT, advanced malware threats from Fireeye, DNS abuse from ISC, domain registration abuse from Knujon and SypEye from Damballa. Also, Bluecoat published their report on “Malnets” and Fortinet has a very good 3-part series, “Anatomy of a Crimeware Syndicate” beginning at this link. We all knew we were going to have to pay for those slow weeks.

A Zeus variant some AV’s call “Citadel” has received considerable attention recently, but we know that malware criminals are almost constantly modifying their wares to avoid detection and to add features. Citadel may develop into a significant risk, but in spite of its press, it appears to the RISK Team to be just another Trojan. Malware exploiting a Microsoft Office (Word) vulnerability patched in September was spotted by Symantec in targeted attacks. Cathal Mullaney at Symantec reported on “A Million-Dollar Mobile Botnet,” and no one on the RISK Team was surprised to learn it runs on Android. Webroot and M86 reported on web exploits attacking visitor’s browsers. Websense reported Blackhole related injection attacks disguised as Google Analytics code. Over the weekend ACTA protests are expected in Europe and Microsoft pre-notified for nine security bulletins on Tuesday of next week. Finally, the RSA Conference will be in a couple weeks. There’s going to be plenty of attention-seeking behavior in the InfoSec community. All of it will probably be true, but very little will ever become problems.

Best InfoSec risk intel this week: please read Imperva’s Business Logic Attack report. John Levine on the CircleID blog nailed it: “World Notices That Verisign Said Three Months Ago That They Had a Security Breach Two Years Ago.” Verisign said: “we do not believe that the operational integrity of the Domain Name System (DNS) was compromised.” Verisign also said, “non-production corporate network,” and “Information stored on the compromised corporate systems was exfiltrated.” That is what we know. Everything else is either generalizations about data breaches or is just conjecture; be very skeptical. A colleague-to-colleague appeal to Verisign: Contribute to the community and to our profession and provide us with enough details for mutual defense. If it was just another spear-phishing-delivered-PDF-Trojan, fine–but please say so.  We don’t want your dirty laundry. We do all want to keep our own houses in order.  Anonymous attacked four banks in Brazil.  In Australia, criminals breached hoster Fairfax and domain trader Netfleet. And another round of attacks transforming WordPress into malware distribution platforms is underway.