No – it’ not a typo, and, as far as I know, I haven’t lost my marbles (yet) either. The title is intended to read exactly as it appears. I suppose some explanation is in order…

If you keep abreast of what folks in the security industry are talking about with any regularity then you’ve probably read something lately about how the current economic crisis might affect corporate information security. For instance, layoffs could result in the loss of key security personnel and/or trigger retaliation from bitter employees. Others are worried that slashed budgets won’t allow security programs to buy what they need to buy, or do what they need to do. The list goes on.

(more…)

There seems to be a lot of discussion regarding the 7 years it took for Microsoft to patch against SMBRelay (the name of a tool published in 2001.) There’s some speculation that Microsoft is only now addressing the issue because a Metasploit module was added in 2007 to exploit the vulnerability. Here’s our take.

Should Microsoft have patched SMB sooner? Why? Who has been adversely affected by the vulnerability? We’ve never had an Incident Response case that involved abuse of it. Given the fact that we now know there was a solution to the puzzle, chances are that solution was stumbled upon by accident in one of those “Eureka” moments. Once that idea was finally conceived, of course, it made sense for them to produce a patch, but do try to appreciate just what was at stake as they attempted to implement it and test it. Thousands, if not hundreds of thousands of 3rd party applications are based on SMB working just the way it does. Break it while patching the vulnerability and you’d have a lot of upset people.

(more…)

From January to July 2008 Microsoft’s technologies disinfected just over 8 million more computers than it did in the previous six month period according to their just released 5th Security Intelligence Report.

Such a statement will make many jump to the conclusion that the state of crimeware is getting worse. But such a conclusion may not be accurate. For example, the increase in distinct computers cleansed in this latest period is just under 50%, whereas in the 2H07 report the increase was just over 79%. The increase in 1H07 was 95%. So the percentage increase this time around is smaller than it has been previously. The same can be said for the number of distinct infections cleansed. 1H08 was 47% higher than 2H07, but 2H07 was 219% higher than 1H07 and 1H07 was 80% higher than 2H06.

(more…)

Microsoft rarely releases these out of cycle patches, but when they do lots of people get excited. It should come as no surprise that we aren’t.

If you want to get an idea of what could happen as a result of this vulnerability, think MS06-040/Graweg/Mocbot/SDBot/August-September 2006. MS06-040 was a similar vulnerability which allowed criminals to gain control of systems they could reach via Server Message Block (SMB). Of course if you can get to someone’s machine via SMB, there’s a lot of harm that could possibly be done.

(more…)

By Wade Baker

“Attacks vary, therefore risk management doesn’t work.” To be fair, that’s not a direct quote from a recent Dark Reading article entitled “Why Risk Management Doesn’t Work”, but it is an accurate expression of its message. Like us (and Alex Hutton of RMI), you may be thinking that something about that message doesn’t seem quite right. Congratulations – you’re a logician.

Non sequitur is a Latin phrase meaning “it does not follow.” It applies to an argument where the conclusion does not logically follow from the premise. Need a good example? Check out the Dark Reading article which discusses our 2008 Data Breach Investigations Supplemental Report. Actually, the article itself isn’t bad; it does a fine job covering some of the findings from our report. My main objection is with the logical conclusion implied in the title which, oddly, doesn’t seem to square with what the article spends most of its time discussing.
(more…)

by Dave Kennedy

We humans introduce risk regardless of our good intentions.  We security types tend to be a paranoid lot, thinking every unfortunate event is evidence someone is out to get us.  Yet we are regularly reminded of Hanlon’s Razor, quoted above.  Recently, we have two high-profile “oopsies” which demonstrate the premise of Hanlon’s Razor, namely that not all bad outcomes have an evil-doer involved.

Last week, a colleague at Verizon Business wanted to inform his customers and colleagues that we had published a supplement to our Data Breach Investigations Report. He crafted an e-mail message and used a list of addresses from a public (non-Verizon) website for the “To:” line in Outlook.  Oops.  He had intended to use the blind carbon copy (BCC) address line to ensure privacy of the recipients, but this did not happen. Certainly, in this case, his actions counted more than intentions.  Of course, he knows this is an easy-to-make error and thus one to guard against.  The earliest instance I’ve found of this bcc mishap dates back to 2001, but we can be pretty sure this mistake is older than that.

(more…)

How many times have you been asked about the Return On Investment (ROI) for some security product you were thinking of purchasing? For most of you, it’s probably a great deal. And determining ROI has likely not been easy either. How much productivity might be lost due to a breach? How do I count the time? Do I base it on wages, lost sales, reputation, or damage?

(more…)

By Wade Baker

Since releasing the 2008 Data Breach Investigations Report (DBIR) in June, we’ve frequently been asked some form of the following question: “Do the findings presented in the report differ among industries?” It’s a good question, and one we’re working on answering at length in a supplemental report contrasting the four most frequently breached industries (Financial Services, Tech Services, Retail, and Food & Beverage) using the original dataset. We plan to release the report sometime next month, but would like to give you a sneak peak in this post.

You may remember that the 2008 DBIR considered three main sources, or origins, of data breaches: external, internal and partner. The upcoming supplemental report naturally adopts this same trio of sources. Based on Verizon Business caseload from 2004 through 2007, the figure below depicts the percentage of breaches attributed to internal, external and partner sources for each industry group.

(more…)

By Mark Zimmerman

We all cringe when we see a member of the executive management heading in our direction clutching a trade magazine with the latest WIBHI (Wouldn’t it be Horrible If) article highlighted. In order to help address this situation, we’ll discuss a topic that is, unfortunately, still only largely written about or discussed more than actually understood and/or implemented within the Information Technology department—Risk Analysis.

I’m talking about Risk Analysis skills at the day-to-day, rubber-meets-the-road implementation level, versus that once a year frantic exercise done a half hour before the auditor arrives. You know, the guy (or gal) who freaks everyone out by setting himself up in the conference room and calling people in to ask them to describe their job functions.

(more…)

By Peter Tippett and Russ Cooper

There is a huge amount of angst, discussion, testing and endless worry about the “new DNS vulnerability” whose existence was published a few weeks ago concurrent with a coordinated patch release. Its dastardly “vulnerability” or “threat scenario” will be disclosed in full in early August. The worry is that, once fully disclosed, the unprepared world will be at risk—or at least large portions will be—and whole new categories of exploit will suddenly be possible…or something like that.

Let’s get out a few facts, and then discuss some hypothetical attacks. We’ll assume the extremes and see just how a very old and well-understood vulnerability might behave differently if, for example, a simple cache poisoning attack tool or technique were released. [For a primer on DNS look here. For a primer on DNS Cache Poisoning look here.]

(more…)